The Entry Point: Helping Users Start Authentication

Version: 5.3
Edit this page

The Entry Point: Helping Users Start Authentication

When an unauthenticated user tries to access a protected page, Symfony gives them a suitable response to let them start authentication (e.g. redirect to a login form or show a 401 Unauthorized HTTP response for APIs).

However sometimes, one firewall has multiple ways to authenticate (e.g. both a form login and a social login). In these cases, it is required to configure the authentication entry point.

You can configure this using the entry_point setting:

  • YAML
  • XML
  • PHP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# config/packages/security.yaml
security:
    enable_authenticator_manager: true

    # ...
    firewalls:
        main:
            # allow authentication using a form or a custom authenticator
            form_login: ~
            custom_authenticators:
                - App\Security\SocialConnectAuthenticator

            # configure the form authentication as the entry point for unauthenticated users
            entry_point: form_login

Note

You can also create your own authentication entry point by creating a class that implements AuthenticationEntryPointInterface. You can then set entry_point to the service id (e.g. entry_point: App\Security\CustomEntryPoint)

Multiple Authenticators with Separate Entry Points

However, there are use cases where you have authenticators that protect different parts of your application. For example, you have a login form that protects the main website and API end-points used by external parties protected by API keys.

As you can only configure one entry point per firewall, the solution is to split the configuration into two separate firewalls:

  • YAML
  • XML
  • PHP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# config/packages/security.yaml
security:
    # ...
    firewalls:
        api:
            pattern: ^/api/
            custom_authenticators:
                - App\Security\ApiTokenAuthenticator
        main:
            lazy: true
            form_login: ~

    access_control:
        - { path: '^/login', roles: PUBLIC_ACCESS }
        - { path: '^/api', roles: ROLE_API_USER }
        - { path: '^/', roles: ROLE_USER }
This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.