我希望仅对角色为“ ROLE_ADMIN”的用户提供API平台管理应用。 我根据文档https://api-platform.com/docs/admin/authentication-support/设置了身份验证,并且一切正常,但是现在每个登录的用户都可以访问admin部分。
我试图通过“ access_control”来限制对单个端点的访问,如下所示,但是站点仅显示“正在加载...”,我得到:
GET https://localhost:8443/provinces 401
fetchResource.js:50 Uncaught (in promise) Error: Unreachable resource
at fetchResource.js:50
api / config / packages / security.yaml
security:
encoders:
App\Entity\User:
algorithm: argon2i
# https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
providers:
# used to reload user from session & other features (e.g. switch_user)
app_user_provider:
entity:
class: App\Entity\User
property: email
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
stateless: true
anonymous: true
provider: app_user_provider
json_login:
check_path: /authentication_token
username_path: email
password_path: password
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
guard:
authenticators:
- lexik_jwt_authentication.jwt_token_authenticator
# activate different ways to authenticate
# https://symfony.com/doc/current/security.html#firewalls-authentication
# https://symfony.com/doc/current/security/impersonating_user.html
# switch_user: true
# Easy way to control access for large sections of your site
# Note: Only the *first* access control that matches will be used
access_control:
- { path: ^/provinces, roles: ROLE_ADMIN }
# - { path: ^/profile, roles: ROLE_USER }
有什么建议吗?
答案 0 :(得分:0)
您需要在前端应用程序中处理身份验证。
我的建议:使用docs中所述的JWT身份验证机制。 如果您没有使用React前端应用程序,那么,您需要适应(我使用Angular)