The security.yml Configuration File
The security.yml
configuration file describes the authentication and
authorization rules for a symfony application.
When an application is created, symfony generates a default security.yml
file in the application config/
directory which describes the security for
the whole application (under the default
key):
default: is_secure: off
As discussed in the introduction, the security.yml
file benefits from
the configuration cascade mechanism,
and can include constants.
The default application configuration can be overridden for a module by
creating a security.yml
file in the config/
directory of the module. The
main keys are action names without the execute
prefix (index
for the
executeIndex
method for instance).
To determine if an action is secure or not, symfony looks for the information in the following order:
a configuration for the specific action in the module configuration file if it exists;
a configuration for the whole module in the module configuration file if it exists (under the
all
key);the default application configuration (under the
default
key).
The same precedence rules are used to determine the credentials needed to access an action.
note
The security.yml
configuration file is cached as a PHP file; the
process is automatically managed by the sfSecurityConfigHandler
class.
Authentication
The default configuration of security.yml
, installed by default for each
application, authorizes access to anybody:
default: is_secure: off
By setting the is_secure
key to on
in the application security.yml
file, the entire application will require authentication for all users.
note
When an un-authenticated user tries to access a secured action, symfony
forwards the request to the login
action configured in settings.yml
.
To modify authentication requirements for a module, create a security.yml
file in the config/
directory of the module and define an all
key:
all: is_secure: on
To modify authentication requirements for a single action of a module, create
a security.yml
file in the config/
directory of the module and define a
key after the name of the action:
index: is_secure: off
tip
It is not possible to secure the login action. This is to avoid infinite recursion.
Authorization
When a user is authenticated, the access to some actions can be even more restricted by defining credentials. When credentials are defined, a user must have the required credentials to access the action:
all: is_secure: on credentials: admin
The credential system of symfony is simple and powerful. A credential is a string that can represent anything you need to describe the application security model (like groups or permissions).
The credentials
key supports Boolean operations to describe complex
credential requirements by using the notation array.
If a user must have the credential A and the credential B, wrap the credentials with square brackets:
index: credentials: [A, B]
If a user must have credential the A or the credential B, wrap them with two pairs of square brackets:
index: credentials: [[A, B]]
You can also mix and match brackets to describe any kind of Boolean expression with any number of credentials.
This work is licensed under the Creative Commons Attribution-Share Alike 3.0 Unported License license.