|
4 | 4 | How to Restrict Firewalls to a Specific Request |
5 | 5 | =============================================== |
6 | 6 |
|
7 | | -When using the Security component, you can create firewalls that match certain request options. |
8 | | -In most cases, matching against the URL is sufficient, but in special cases you can further |
9 | | -restrict the initialization of a firewall against other options of the request. |
| 7 | +When using the Security component, firewalls will decide whether they handle a request based on the |
| 8 | +result of a request matcher: the first firewall matching the request will handle it. |
| 9 | + |
| 10 | +The last firewall can be configured without any matcher to handle every incoming request. |
| 11 | + |
| 12 | +Restricting by Configuration |
| 13 | +---------------------------- |
| 14 | + |
| 15 | +Most of the time you don't need to create matchers yourself as Symfony can do it for you based on the |
| 16 | +firewall configuration. |
10 | 17 |
|
11 | 18 | .. note:: |
12 | 19 |
|
13 | | - You can use any of these restrictions individually or mix them together to get |
| 20 | + You can use any of the following restrictions individually or mix them together to get |
14 | 21 | your desired firewall configuration. |
15 | 22 |
|
16 | | -Restricting by Pattern |
17 | | ----------------------- |
| 23 | +Restricting by Path |
| 24 | +~~~~~~~~~~~~~~~~~~~ |
18 | 25 |
|
19 | | -This is the default restriction and restricts a firewall to only be initialized if the request URL |
| 26 | +This is the default restriction and restricts a firewall to only be initialized if the request path |
20 | 27 | matches the configured ``pattern``. |
21 | 28 |
|
22 | 29 | .. configuration-block:: |
@@ -65,12 +72,12 @@ matches the configured ``pattern``. |
65 | 72 | ]); |
66 | 73 |
|
67 | 74 | The ``pattern`` is a regular expression. In this example, the firewall will only be |
68 | | -activated if the URL starts (due to the ``^`` regex character) with ``/admin``. If |
69 | | -the URL does not match this pattern, the firewall will not be activated and subsequent |
| 75 | +activated if the path starts (due to the ``^`` regex character) with ``/admin``. If |
| 76 | +the path does not match this pattern, the firewall will not be activated and subsequent |
70 | 77 | firewalls will have the opportunity to be matched for this request. |
71 | 78 |
|
72 | 79 | Restricting by Host |
73 | | -------------------- |
| 80 | +~~~~~~~~~~~~~~~~~~~ |
74 | 81 |
|
75 | 82 | If matching against the ``pattern`` only is not enough, the request can also be matched against |
76 | 83 | ``host``. When the configuration option ``host`` is set, the firewall will be restricted to |
@@ -129,7 +136,7 @@ and subsequent firewalls will have the opportunity to be matched for this |
129 | 136 | request. |
130 | 137 |
|
131 | 138 | Restricting by HTTP Methods |
132 | | ---------------------------- |
| 139 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
133 | 140 |
|
134 | 141 | The configuration option ``methods`` restricts the initialization of the firewall to |
135 | 142 | the provided HTTP methods. |
@@ -183,3 +190,54 @@ In this example, the firewall will only be activated if the HTTP method of the |
183 | 190 | request is either ``GET`` or ``POST``. If the method is not in the array of the |
184 | 191 | allowed methods, the firewall will not be activated and subsequent firewalls will again |
185 | 192 | have the opportunity to be matched for this request. |
| 193 | + |
| 194 | +Restricting by Service |
| 195 | +---------------------- |
| 196 | + |
| 197 | +If the above options don't fit your needs you can configure any service implementing |
| 198 | +:class:`Symfony\\Component\\HttpFoundation\\RequestMatcherInterface` as ``request_matcher``. |
| 199 | + |
| 200 | +.. configuration-block:: |
| 201 | + |
| 202 | + .. code-block:: yaml |
| 203 | +
|
| 204 | + # config/packages/security.yaml |
| 205 | +
|
| 206 | + # ... |
| 207 | + security: |
| 208 | + firewalls: |
| 209 | + secured_area: |
| 210 | + request_matcher: app.firewall.secured_area.request_matcher |
| 211 | + # ... |
| 212 | +
|
| 213 | + .. code-block:: xml |
| 214 | +
|
| 215 | + <!-- config/packages/security.xml --> |
| 216 | + <?xml version="1.0" encoding="UTF-8"?> |
| 217 | + <srv:container xmlns="http://symfony.com/schema/dic/security" |
| 218 | + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |
| 219 | + xmlns:srv="http://symfony.com/schema/dic/services" |
| 220 | + xsi:schemaLocation="http://symfony.com/schema/dic/services |
| 221 | + https://symfony.com/schema/dic/services/services-1.0.xsd"> |
| 222 | +
|
| 223 | + <config> |
| 224 | + <!-- ... --> |
| 225 | + <firewall name="secured_area" request-matcher="app.firewall.secured_area.request_matcher"> |
| 226 | + <!-- ... --> |
| 227 | + </firewall> |
| 228 | + </config> |
| 229 | + </srv:container> |
| 230 | +
|
| 231 | + .. code-block:: php |
| 232 | +
|
| 233 | + // config/packages/security.php |
| 234 | +
|
| 235 | + // ... |
| 236 | + $container->loadFromExtension('security', [ |
| 237 | + 'firewalls' => [ |
| 238 | + 'secured_area' => [ |
| 239 | + 'request_matcher' => 'app.firewall.secured_area.request_matcher', |
| 240 | + // ... |
| 241 | + ], |
| 242 | + ], |
| 243 | + ]); |
0 commit comments