douxi3977 2015-06-16 13:48
浏览 56
已采纳

Symfony2防火墙:保护/ web文件夹

I am developping a SF2 web-app which is fully behind a firewall: nobody shouldn't be able to see or modify anything before behing logged (except login form, of course).

So here is the firewall part of my security.yml file:

firewalls:
    dev:
        pattern:  ^/(_(profiler|wdt)|css|images|js)/
        security: false
    main_login:
        pattern:   ^/login$
        anonymous: true
    main:
        pattern:        ^/
        anonymous:      false
        form_login:
            login_path: fos_user_security_login
            check_path: fos_user_security_check
        logout:
            path:       fos_user_security_logout
            target:     /

This works fine: if I type the url http://mywebsite.com/app.php/article/show/1 while unlogged, I am forwarded to the login page.

My problem is that I have some documents and media files located in Symfony's web directory (e.g. myapp/web/document/myTextFile.txt). They are accessible via my app for logged users, but also for non-logged users!

Anybody who types http://mywebsite.com/app.php/document/myTextFile.txt can download the file...

Why doesn't the pattern: ^/ line prevent this? Is the web folder excluded by default because it contains app.php and js/and css/ folder?

How do I protect my documents?


Update: Display protected images

I tried the solution suggested by Gerry, it works fine to protect the download of my documents.

However, I also have pictures in my document folder and I would like to display these pictures, directly included in the relevant pages.

For example, in http://mywebsite.com/app.php/article/show/1 there will be some text and the picture myapp/app/Resources/document/AAA.jpg, and in http://mywebsite.com/app.php/article/show/2 there will be some text and the picture myapp/app/Resources/document/BBB.jpg, etc.

I tried to do it with Assetic but it seems that it is done for "static" images (like top logo, or images which are not object-dependent).

A solution I see is to convert the image in Base64 and include it like this : <img alt="" src="data:image/png;base64(...)" />, but it seems really ugly...

  • 写回答

2条回答 默认 最新

  • doueta6642 2015-06-16 15:43
    关注

    The web directory is your public root directory, being served by the webserver (Apache/Nginx/...).

    By default any request to an existing file does not pass Symfony at all, so no firewall setting is going to prevent access to files residing in the web root.

    The clean solution is to move these files to another directory, outside the webroot, for example app/Resources/uploads. Then you could write a Symfony controller for downloading these files.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 Selenium+docker Chrome不能运行
  • ¥15 能给我一些人生建议吗
  • ¥15 mac电脑,安装charles后无法正常抓包
  • ¥18 visio打开文件一直显示文件未找到
  • ¥15 请教一下,openwrt如何让同一usb储存设备拔插后设备符号不变?
  • ¥50 使用quartz框架进行分布式任务定时调度,启动了两个实例,但是只有一个实例参与调度,另外一个实例没有参与调度,不知道是为什么?请各位帮助看一下原因!!
  • ¥50 怎么获取Ace Editor中的python代码后怎么调用Skulpt执行代码
  • ¥30 fpga基于dds生成幅值相位频率和波形可调的容易信号发生器。
  • ¥15 R语言shiny包和ncdf4包报错
  • ¥15 origin绘制有显著差异的柱状图和聚类热图