doudiecai1572 2014-10-29 11:03
浏览 425
已采纳

什么是防止未登录用户访问特定页面的正确方法

I have following structure on my website:

/Login page, when someone goes to the website, they automatically get on this page. Its not needed to be logged in.

When someone logs in, they get on the /game/welcome page. From there on they can acces /game/account and such pages.

Now when I go straight to /game/welcome, without logging in, I can acces this page. How can I prevent this?

This is my security.yml file:

# you can read more about security in the related section of the documentation
# http://symfony.com/doc/current/book/security.html
security:
    # http://symfony.com/doc/current/book/security.html#encoding-the-user-s-password
    encoders:
        Login\LoginBundle\Entity\User: sha512
            #algorithm: sha1
            #iterations: 1
            #encode_as_base64: true
        #Login\Loginbundle\Entity\User: sha512

    # http://symfony.com/doc/current/book/security.html#hierarchical-roles
    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]

    # http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers
    providers:
        user:
            entity:
                class: Login\LoginBundle\Entity\User
                property: username
        #in_memory:
            #memory:
                #users:
                    #user:  { password: userpass, roles: [ 'ROLE_USER' ] }
                    #admin: { password: adminpass, roles: [ 'ROLE_ADMIN' ] }

    # the main part of the security, where you can set up firewalls
    # for specific sections of your app
    firewalls:
        secured_area:
            pattern:   ^/
            anonymous: ~
            form_login:
                login_path: login
                check_path: login_check
    access_control:
    - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
  • 写回答

4条回答 默认 最新

  • dqdtgiw4736 2014-10-29 12:54
    关注

    Typically checking for the ROLE_USER should suffice, though it is probably more safe to check for the role IS_AUTHENTICATED_FULLY, which is set automatically by the security component for authenticated users if you want to differentiate from anonymous users.

    Instead of taking the path of setting up access_control in security.yml like the other answers suggest, I'd recommend securing the individual controllers instead.

    This has the advantage of not inadvertently disabling security when changing route URL patterns, or by making mistakes in the regular expressions, which I see happening a lot.

    With SensioFrameworkExtraBundle you can secure the controllers with an annotation:

    use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;

class DemoController extends Controller
{
    /**
     * @Security("has_role('IS_AUTHENTICATED_FULLY')")
     */
    public function indexAction()
    {
        // ...
    }
}

    If you don't like annotations, you can do the check in your controller code as follows (when extending the default Controller class):

    use Symfony\Bundle\FrameworkBundle\Controller\Controller;

class DemoController extends Controller
{
    public function indexAction()
    {
        if (false === $this->get('security.context')->isGranted('IS_AUTHENTICATED_FULLY')) {
            throw $this->createAccessDeniedException('Unable to access this page!');
        }

        // ...
    }
}
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(3条)

报告相同问题?

悬赏问题

  • ¥15 2020长安杯与连接网探
  • ¥15 关于#matlab#的问题:在模糊控制器中选出线路信息,在simulink中根据线路信息生成速度时间目标曲线(初速度为20m/s,15秒后减为0的速度时间图像)我想问线路信息是什么
  • ¥15 banner广告展示设置多少时间不怎么会消耗用户价值
  • ¥16 mybatis的代理对象无法通过@Autowired装填
  • ¥15 可见光定位matlab仿真
  • ¥15 arduino 四自由度机械臂
  • ¥15 wordpress 产品图片 GIF 没法显示
  • ¥15 求三国群英传pl国战时间的修改方法
  • ¥15 matlab代码代写,需写出详细代码,代价私
  • ¥15 ROS系统搭建请教(跨境电商用途)