The Entry Point: Helping Users Start Authentication
Warning: You are browsing the documentation for Symfony 6.2, which is no longer maintained.
Read the updated version of this page for Symfony 7.1 (the current stable version).
The Entry Point: Helping Users Start Authentication
When an unauthenticated user tries to access a protected page, Symfony gives them a suitable response to let them start authentication (e.g. redirect to a login form or show a 401 Unauthorized HTTP response for APIs).
However sometimes, one firewall has multiple ways to authenticate (e.g. both a form login and a social login). In these cases, it is required to configure the authentication entry point.
You can configure this using the entry_point
setting:
1 2 3 4 5 6 7 8 9 10 11 12 13
# config/packages/security.yaml
security:
# ...
firewalls:
main:
# allow authentication using a form or a custom authenticator
form_login: ~
custom_authenticators:
- App\Security\SocialConnectAuthenticator
# configure the form authentication as the entry point for unauthenticated users
entry_point: form_login
Note
You can also create your own authentication entry point by creating a
class that implements
AuthenticationEntryPointInterface.
You can then set entry_point
to the service id (e.g.
entry_point: App\Security\CustomEntryPoint
)
Multiple Authenticators with Separate Entry Points
However, there are use cases where you have authenticators that protect different parts of your application. For example, you have a login form that protects the main website and API end-points used by external parties protected by API keys.
As you can only configure one entry point per firewall, the solution is to split the configuration into two separate firewalls:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
# config/packages/security.yaml
security:
# ...
firewalls:
api:
pattern: ^/api/
custom_authenticators:
- App\Security\ApiTokenAuthenticator
main:
lazy: true
form_login: ~
access_control:
- { path: '^/login', roles: PUBLIC_ACCESS }
- { path: '^/api', roles: ROLE_API_USER }
- { path: '^/', roles: ROLE_USER }