|
4 | 4 | How to Restrict Firewalls to a Request |
5 | 5 | ====================================== |
6 | 6 |
|
7 | | -When using the Security component, you can create firewalls that match certain request options. |
8 | | -In most cases, matching against the URL is sufficient, but in special cases, you can further |
9 | | -restrict the initialization of a firewall against other options of the request. |
| 7 | +When using the Security component, firewalls will decide whether they handle a request based on the |
| 8 | +result of a request matcher: the first firewall matching the request will handle it. |
| 9 | + |
| 10 | +The last firewall can be configured without any matcher to handle every request it sees. |
| 11 | + |
| 12 | +Restricting by Service |
| 13 | +---------------------- |
| 14 | + |
| 15 | +You can configure any service implementing ``Symfony\Component\HttpFoundation\RequestMatcherInterface`` |
| 16 | +as ``request_matcher``. |
| 17 | + |
| 18 | +.. configuration-block:: |
| 19 | + |
| 20 | + .. code-block:: yaml |
| 21 | +
|
| 22 | + # config/packages/security.yaml |
| 23 | +
|
| 24 | + # ... |
| 25 | + security: |
| 26 | + firewalls: |
| 27 | + secured_area: |
| 28 | + request_matcher: app.firewall.secured_area.request_matcher |
| 29 | + # ... |
| 30 | +
|
| 31 | + .. code-block:: xml |
| 32 | +
|
| 33 | + <!-- config/packages/security.xml --> |
| 34 | + <?xml version="1.0" encoding="UTF-8"?> |
| 35 | + <srv:container xmlns="http://symfony.com/schema/dic/security" |
| 36 | + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |
| 37 | + xmlns:srv="http://symfony.com/schema/dic/services" |
| 38 | + xsi:schemaLocation="http://symfony.com/schema/dic/services |
| 39 | + https://symfony.com/schema/dic/services/services-1.0.xsd"> |
| 40 | +
|
| 41 | + <config> |
| 42 | + <!-- ... --> |
| 43 | + <firewall name="secured_area" request-matcher="app.firewall.secured_area.request_matcher"> |
| 44 | + <!-- ... --> |
| 45 | + </firewall> |
| 46 | + </config> |
| 47 | + </srv:container> |
| 48 | +
|
| 49 | + .. code-block:: php |
| 50 | +
|
| 51 | + // config/packages/security.php |
| 52 | +
|
| 53 | + // ... |
| 54 | + $container->loadFromExtension('security', [ |
| 55 | + 'firewalls' => [ |
| 56 | + 'secured_area' => [ |
| 57 | + 'request_matcher' => 'app.firewall.secured_area.request_matcher', |
| 58 | + // ... |
| 59 | + ], |
| 60 | + ], |
| 61 | + ]); |
| 62 | +
|
| 63 | +However in most cases you don’t need to create these matchers yourself as Symfony can do it for you based |
| 64 | +on the firewalls’ configuration. |
| 65 | + |
| 66 | +Restricting by Configuration |
| 67 | +---------------------------- |
10 | 68 |
|
11 | 69 | .. note:: |
12 | 70 |
|
13 | | - You can use any of these restrictions individually or mix them together to get |
| 71 | + You can use any of the following restrictions individually or mix them together to get |
14 | 72 | your desired firewall configuration. |
15 | 73 |
|
16 | | -Restricting by Pattern |
17 | | ----------------------- |
| 74 | +Restricting by Path |
| 75 | +~~~~~~~~~~~~~~~~~~~ |
18 | 76 |
|
19 | | -This is the default restriction and restricts a firewall to only be initialized if the request URL |
| 77 | +This is the default restriction and restricts a firewall to only be initialized if the request path |
20 | 78 | matches the configured ``pattern``. |
21 | 79 |
|
22 | 80 | .. configuration-block:: |
@@ -65,12 +123,12 @@ matches the configured ``pattern``. |
65 | 123 | ]); |
66 | 124 |
|
67 | 125 | The ``pattern`` is a regular expression. In this example, the firewall will only be |
68 | | -activated if the URL starts (due to the ``^`` regex character) with ``/admin``. If |
69 | | -the URL does not match this pattern, the firewall will not be activated and subsequent |
| 126 | +activated if the path starts (due to the ``^`` regex character) with ``/admin``. If |
| 127 | +the path does not match this pattern, the firewall will not be activated and subsequent |
70 | 128 | firewalls will have the opportunity to be matched for this request. |
71 | 129 |
|
72 | 130 | Restricting by Host |
73 | | -------------------- |
| 131 | +~~~~~~~~~~~~~~~~~~~ |
74 | 132 |
|
75 | 133 | If matching against the ``pattern`` only is not enough, the request can also be matched against |
76 | 134 | ``host``. When the configuration option ``host`` is set, the firewall will be restricted to |
@@ -129,7 +187,7 @@ and subsequent firewalls will have the opportunity to be matched for this |
129 | 187 | request. |
130 | 188 |
|
131 | 189 | Restricting by HTTP Methods |
132 | | ---------------------------- |
| 190 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
133 | 191 |
|
134 | 192 | The configuration option ``methods`` restricts the initialization of the firewall to |
135 | 193 | the provided HTTP methods. |
|
0 commit comments