doudiecai1572 2014-10-29 11:03
浏览 425
已采纳

什么是防止未登录用户访问特定页面的正确方法

I have following structure on my website:

/Login page, when someone goes to the website, they automatically get on this page. Its not needed to be logged in.

When someone logs in, they get on the /game/welcome page. From there on they can acces /game/account and such pages.

Now when I go straight to /game/welcome, without logging in, I can acces this page. How can I prevent this?

This is my security.yml file:

# you can read more about security in the related section of the documentation
# http://symfony.com/doc/current/book/security.html
security:
    # http://symfony.com/doc/current/book/security.html#encoding-the-user-s-password
    encoders:
        Login\LoginBundle\Entity\User: sha512
            #algorithm: sha1
            #iterations: 1
            #encode_as_base64: true
        #Login\Loginbundle\Entity\User: sha512

    # http://symfony.com/doc/current/book/security.html#hierarchical-roles
    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]

    # http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers
    providers:
        user:
            entity:
                class: Login\LoginBundle\Entity\User
                property: username
        #in_memory:
            #memory:
                #users:
                    #user:  { password: userpass, roles: [ 'ROLE_USER' ] }
                    #admin: { password: adminpass, roles: [ 'ROLE_ADMIN' ] }

    # the main part of the security, where you can set up firewalls
    # for specific sections of your app
    firewalls:
        secured_area:
            pattern:   ^/
            anonymous: ~
            form_login:
                login_path: login
                check_path: login_check
    access_control:
    - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
  • 写回答

4条回答 默认 最新

  • dqdtgiw4736 2014-10-29 12:54
    关注

    Typically checking for the ROLE_USER should suffice, though it is probably more safe to check for the role IS_AUTHENTICATED_FULLY, which is set automatically by the security component for authenticated users if you want to differentiate from anonymous users.

    Instead of taking the path of setting up access_control in security.yml like the other answers suggest, I'd recommend securing the individual controllers instead.

    This has the advantage of not inadvertently disabling security when changing route URL patterns, or by making mistakes in the regular expressions, which I see happening a lot.

    With SensioFrameworkExtraBundle you can secure the controllers with an annotation:

    use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;

class DemoController extends Controller
{
    /**
     * @Security("has_role('IS_AUTHENTICATED_FULLY')")
     */
    public function indexAction()
    {
        // ...
    }
}

    If you don't like annotations, you can do the check in your controller code as follows (when extending the default Controller class):

    use Symfony\Bundle\FrameworkBundle\Controller\Controller;

class DemoController extends Controller
{
    public function indexAction()
    {
        if (false === $this->get('security.context')->isGranted('IS_AUTHENTICATED_FULLY')) {
            throw $this->createAccessDeniedException('Unable to access this page!');
        }

        // ...
    }
}
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(3条)

报告相同问题?

悬赏问题

  • ¥15 程序不包含适用于入口点的静态Main方法
  • ¥15 素材场景中光线烘焙后灯光失效
  • ¥15 请教一下各位,为什么我这个没有实现模拟点击
  • ¥15 执行 virtuoso 命令后,界面没有,cadence 启动不起来
  • ¥50 comfyui下连接animatediff节点生成视频质量非常差的原因
  • ¥20 有关区间dp的问题求解
  • ¥15 多电路系统共用电源的串扰问题
  • ¥15 slam rangenet++配置
  • ¥15 有没有研究水声通信方面的帮我改俩matlab代码
  • ¥15 ubuntu子系统密码忘记