6

正如标题所示,我将使用 Facebook、Google 和 GitHub 身份验证以及 JWT 身份验证器 (LexikJWT)。

在开始之前,我想知道如何使用它们?是否可以同时使用它们来保护 API?

如果是,我的安全应该有什么样的配置?假设我使用的是默认配置。

这是当前的security.yml

security:
    encoders:
        FOS\UserBundle\Model\UserInterface: sha512

    acl:
        connection: default

    access_decision_manager:
        strategy: affirmative

    role_hierarchy:
        ROLE_SALES_NOTIFICATIONS: [ ROLE_SALES_NOTIFICATIONS ]
        # FULL CONTROL
        ROLE_ADMIN:       [ROLE_USER, ROLE_SONATA_ADMIN]
        ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]

    providers:
        fos_userbundle:
            id: fos_user.user_provider.username_email

    firewalls:
        # Disabling the security for the web debug toolbar, the profiler and Assetic.
        dev:
            pattern:  ^/(_(profiler|wdt)|css|images|js)/
            security: false

        # -> custom firewall for the admin area of the URL
        admin:
            pattern:            /admin(.*)
            context:            user
            form_login:
                provider:       fos_userbundle
                login_path:     /admin/login
                use_forward:    false
                check_path:     /admin/login_check
                failure_path:   null
                success_handler: admin_success_handler
            logout:
                path:           /admin/logout
            anonymous:          true

        # Custom firewall for api area
        api_login:
            pattern:  ^/api/auth
            stateless: true
            anonymous: true
            provider: fos_userbundle
            form_login:
                check_path:               /api/auth/check
                success_handler:          lexik_jwt_authentication.handler.authentication_success
                failure_handler:          lexik_jwt_authentication.handler.authentication_failure
                require_previous_session: false

        api:
            pattern:   ^/api/v\d+\.\d+/
            methods: [ POST, PUT ]
            stateless: true
            guard:
                authenticators:
                    - lexik_jwt_authentication.jwt_token_authenticator

        api_doc:
            pattern: ^/api/doc
            stateless: true
            anonymous: true
        # -> end custom configuration

        # default login area for standard users

        # This firewall is used to handle the public login area
        # This part is handled by the FOS User Bundle
        main:
            pattern:             .*
            context:             user
            form_login:
                provider:       fos_userbundle
                login_path:     /login
                use_forward:    false
                check_path:     /login_check
                failure_path:   null
            logout:             true
            anonymous:          true

    access_control:
        # URL of FOSUserBundle which need to be available to anonymous users
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }

        # Admin login page needs to be access without credential
        - { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/admin/login_check$, role: IS_AUTHENTICATED_ANONYMOUSLY }

        # Secured part of the site
        # This config requires being logged for the whole site and having the admin role for the admin part.
        # Change these rules to adapt them to your needs
        - { path: ^/assets/, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/uploads/, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/admin/, role: [ROLE_ADMIN, ROLE_SONATA_ADMIN] }
        - { path: ^/user/, role: [ROLE_USER] }
        - { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/api/auth, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/api/auth/me, roles: IS_AUTHENTICATED_FULLY }
- { path: ^/api/v\d+\.\d+/, roles: IS_AUTHENTICATED_FULLY }

我在想,将它们都用作安全提供程序会导致错误。这样对吗?

4

1 回答 1

-1

我不认为在同一个项目上使用 HWIOAuthBundle 和 LexikJWTBundle 会导致错误。

您的 api_login 防火墙将对您的 api 用户进行身份验证,而您的管理员防火墙将对您的后台用户进行身份验证。

由于您的 URL 模式配置正确,您应该不会遇到问题。

于 2017-08-07T15:26:17.637 回答