The Entry Point: Helping Users Start Authentication
Warning: You are browsing the documentation for Symfony 6.3, which is no longer maintained.
Read the updated version of this page for Symfony 7.2 (the current stable version).
When an unauthenticated user tries to access a protected page, Symfony gives them a suitable response to let them start authentication (e.g. redirect to a login form or show a 401 Unauthorized HTTP response for APIs).
However sometimes, one firewall has multiple ways to authenticate (e.g. both a form login and a social login). In these cases, it is required to configure the authentication entry point.
You can configure this using the entry_point
setting:
1 2 3 4 5 6 7 8 9 10 11 12 13
# config/packages/security.yaml
security:
# ...
firewalls:
main:
# allow authentication using a form or a custom authenticator
form_login: ~
custom_authenticators:
- App\Security\SocialConnectAuthenticator
# configure the form authentication as the entry point for unauthenticated users
entry_point: form_login
Note
You can also create your own authentication entry point by creating a
class that implements
AuthenticationEntryPointInterface.
You can then set entry_point
to the service id (e.g.
entry_point: App\Security\CustomEntryPoint
)
Multiple Authenticators with Separate Entry Points
However, there are use cases where you have authenticators that protect different parts of your application. For example, you have a login form that protects the main website and API end-points used by external parties protected by API keys.
As you can only configure one entry point per firewall, the solution is to split the configuration into two separate firewalls:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
# config/packages/security.yaml
security:
# ...
firewalls:
api:
pattern: ^/api/
custom_authenticators:
- App\Security\ApiTokenAuthenticator
main:
lazy: true
form_login: ~
access_control:
- { path: '^/login', roles: PUBLIC_ACCESS }
- { path: '^/api', roles: ROLE_API_USER }
- { path: '^/', roles: ROLE_USER }