Symfony
sponsored by SensioLabs
Menu
  • About
  • Documentation
  • Screencasts
  • Cloud
  • Certification
  • Community
  • Businesses
  • News
  • Download
  1. Home
  2. Documentation
  3. Cookbook
  4. Security
  5. Using pre Authenticated Security Firewalls
  • Documentation
  • Book
  • Reference
  • Bundles
  • Cloud
Search by Algolia
  • X.509 Client Certificate Authentication

Using pre Authenticated Security Firewalls

Edit this page

Warning: You are browsing the documentation for Symfony 2.4, which is no longer maintained.

Read the updated version of this page for Symfony 6.2 (the current stable version).

Using pre Authenticated Security Firewalls

A lot of authentication modules are already provided by some web servers, including Apache. These modules generally set some environment variables that can be used to determine which user is accessing your application. Out of the box, Symfony supports most authentication mechanisms. These requests are called pre authenticated requests because the user is already authenticated when reaching your application.

X.509 Client Certificate Authentication

When using client certificates, your webserver is doing all the authentication process itself. With Apache, for example, you would use the SSLVerifyClient Require directive.

Enable the x509 authentication for a particular firewall in the security configuration:

  • YAML
  • XML
  • PHP
1
2
3
4
5
6
7
# app/config/security.yml
security:
    firewalls:
        secured_area:
            pattern: ^/
            x509:
                provider: your_user_provider
1
2
3
4
5
6
7
8
9
10
11
<?xml version="1.0" ?>
<!-- app/config/security.xml -->
<srv:container xmlns="http://symfony.com/schema/dic/security"
    xmlns:srv="http://symfony.com/schema/dic/services">

    <config>
        <firewall name="secured_area" pattern="^/">
            <x509 provider="your_user_provider"/>
        </firewall>
    </config>
</srv:container>
1
2
3
4
5
6
7
8
9
10
11
// app/config/security.php
$container->loadFromExtension('security', array(
    'firewalls' => array(
        'secured_area' => array(
            'pattern' => '^/'
            'x509'    => array(
                'provider' => 'your_user_provider',
            ),
        ),
    ),
));

By default, the firewall provides the SSL_CLIENT_S_DN_Email variable to the user provider, and sets the SSL_CLIENT_S_DN as credentials in the PreAuthenticatedToken. You can override these by setting the user and the credentials keys in the x509 firewall configuration respectively.

Note

An authentication provider will only inform the user provider of the username that made the request. You will need to create (or use) a "user provider" that is referenced by the provider configuration parameter (your_user_provider in the configuration example). This provider will turn the username into a User
object of your choice. For more information on creating or configuring a user
provider, see:

  • How to Create a custom User Provider
  • How to Load Security Users from the Database (the Entity Provider)
This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.
We stand with Ukraine.
Version:
Measure & Improve Symfony Code Performance

Measure & Improve Symfony Code Performance

Peruse our complete Symfony & PHP solutions catalog for your web development needs.

Peruse our complete Symfony & PHP solutions catalog for your web development needs.

↓ Our footer now uses the colors of the Ukrainian flag because Symfony stands with the people of Ukraine.

Avatar of Elnur Abdurrakhimov, a Symfony contributor

Thanks Elnur Abdurrakhimov (@elnur) for being a Symfony contributor

11 commits • 570 lines changed

View all contributors that help us make Symfony

Become a Symfony contributor

Be an active part of the community and contribute ideas, code and bug fixes. Both experts and newcomers are welcome.

Learn how to contribute

Symfony™ is a trademark of Symfony SAS. All rights reserved.

  • What is Symfony?
    • Symfony at a Glance
    • Symfony Components
    • Case Studies
    • Symfony Releases
    • Security Policy
    • Logo & Screenshots
    • Trademark & Licenses
    • symfony1 Legacy
  • Learn Symfony
    • Symfony Docs
    • Symfony Book
    • Reference
    • Bundles
    • Best Practices
    • Training
    • eLearning Platform
    • Certification
  • Screencasts
    • Learn Symfony
    • Learn PHP
    • Learn JavaScript
    • Learn Drupal
    • Learn RESTful APIs
  • Community
    • SymfonyConnect
    • Support
    • How to be Involved
    • Code of Conduct
    • Events & Meetups
    • Projects using Symfony
    • Downloads Stats
    • Contributors
    • Backers
  • Blog
    • Events & Meetups
    • A week of symfony
    • Case studies
    • Cloud
    • Community
    • Conferences
    • Diversity
    • Documentation
    • Living on the edge
    • Releases
    • Security Advisories
    • SymfonyInsight
    • Twig
    • SensioLabs
  • Services
    • SensioLabs services
    • Train developers
    • Manage your project quality
    • Improve your project performance
    • Host Symfony projects
    Deployed on
Follow Symfony
Search by Algolia