我正在构建REST API,我遇到的问题是可以由任何人创建的资源(应用程序),但是一旦创建了它,它只能通过经过身份验证的方式检索和更新具有给定角色的用户。
问题是我在security.yml的防火墙部分保护了这个资源,但它不允许我为特定的http方法配置它。
这是我的security.yml
security:
# http://symfony.com/doc/current/book/security.html#encoding-the-user-s-password
encoders:
Symfony\Component\Security\Core\User\User: plaintext
OAuth2\ServerBundle\Entity\User:
algorithm: sha512
encode_as_base64: true
iterations: 5000
# http://symfony.com/doc/current/book/security.html#hierarchical-roles
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
# http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers
providers:
in_memory:
memory:
users:
user: { password: userpass, roles: [ 'ROLE_USER' ] }
admin: { password: adminpass, roles: [ 'ROLE_ADMIN' ] }
oauth2:
id: oauth2.user_provider
# the main part of the security, where you can set up firewalls
# for specific sections of your app
firewalls:
api:
pattern: ^/api/(agents|regions|applications)
stateless: true
simple_preauth:
authenticator: dnd_token_authenticator
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
# with these settings you can restrict or allow access for different parts
# of your application based on roles, ip, host or methods
# http://symfony.com/doc/current/cookbook/security/access_control.html
access_control:
#- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
#- { path: ^/api/applications, roles: IS_AUTHENTICATED_ANONYMOUSLY, methods: POST }
答案 0 :(得分:0)
你可以在你的yaml中使用相同的模式但不同的方法有两个部分。一个用于 read_api ,另一个用于 write_api 。您可以根据需要控制每个部分的安全性。