|
4 | 4 | How to Restrict Firewalls to a Request |
5 | 5 | ====================================== |
6 | 6 |
|
7 | | -When using the Security component, you can create firewalls that match certain request options. |
8 | | -In most cases, matching against the URL is sufficient, but in special cases, you can further |
9 | | -restrict the initialization of a firewall against other options of the request. |
| 7 | +When using the Security component, firewalls will decide whether they handle a |
| 8 | +request based on the result of a request matcher: the first firewall matching |
| 9 | +the request will handle it. |
| 10 | + |
| 11 | +The last firewall can be configured without any matcher to handle every incoming |
| 12 | +request. |
| 13 | + |
| 14 | +Restricting by Configuration |
| 15 | +---------------------------- |
| 16 | + |
| 17 | +Most of the time you don't need to create matchers yourself as Symfony can do it |
| 18 | +for you based on the firewall configuration. |
10 | 19 |
|
11 | 20 | .. note:: |
12 | 21 |
|
13 | | - You can use any of these restrictions individually or mix them together to get |
14 | | - your desired firewall configuration. |
| 22 | + You can use any of the following restrictions individually or mix them |
| 23 | + together to get your desired firewall configuration. |
15 | 24 |
|
16 | | -Restricting by Pattern |
17 | | ----------------------- |
| 25 | +Restricting by Path |
| 26 | +~~~~~~~~~~~~~~~~~~~ |
18 | 27 |
|
19 | | -This is the default restriction and restricts a firewall to only be initialized if the request URL |
20 | | -matches the configured ``pattern``. |
| 28 | +This is the default restriction and restricts a firewall to only be initialized |
| 29 | +if the request path matches the configured ``pattern``. |
21 | 30 |
|
22 | 31 | .. configuration-block:: |
23 | 32 |
|
@@ -65,12 +74,12 @@ matches the configured ``pattern``. |
65 | 74 | ]); |
66 | 75 |
|
67 | 76 | The ``pattern`` is a regular expression. In this example, the firewall will only be |
68 | | -activated if the URL starts (due to the ``^`` regex character) with ``/admin``. If |
69 | | -the URL does not match this pattern, the firewall will not be activated and subsequent |
| 77 | +activated if the path starts (due to the ``^`` regex character) with ``/admin``. If |
| 78 | +the path does not match this pattern, the firewall will not be activated and subsequent |
70 | 79 | firewalls will have the opportunity to be matched for this request. |
71 | 80 |
|
72 | 81 | Restricting by Host |
73 | | -------------------- |
| 82 | +~~~~~~~~~~~~~~~~~~~ |
74 | 83 |
|
75 | 84 | If matching against the ``pattern`` only is not enough, the request can also be matched against |
76 | 85 | ``host``. When the configuration option ``host`` is set, the firewall will be restricted to |
@@ -129,7 +138,7 @@ and subsequent firewalls will have the opportunity to be matched for this |
129 | 138 | request. |
130 | 139 |
|
131 | 140 | Restricting by HTTP Methods |
132 | | ---------------------------- |
| 141 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
133 | 142 |
|
134 | 143 | The configuration option ``methods`` restricts the initialization of the firewall to |
135 | 144 | the provided HTTP methods. |
@@ -183,3 +192,54 @@ In this example, the firewall will only be activated if the HTTP method of the |
183 | 192 | request is either ``GET`` or ``POST``. If the method is not in the array of the |
184 | 193 | allowed methods, the firewall will not be activated and subsequent firewalls will again |
185 | 194 | have the opportunity to be matched for this request. |
| 195 | + |
| 196 | +Restricting by Service |
| 197 | +---------------------- |
| 198 | + |
| 199 | +If the above options don't fit your needs you can configure any service implementing |
| 200 | +:class:`Symfony\\Component\\HttpFoundation\\RequestMatcherInterface` as ``request_matcher``. |
| 201 | + |
| 202 | +.. configuration-block:: |
| 203 | + |
| 204 | + .. code-block:: yaml |
| 205 | +
|
| 206 | + # config/packages/security.yaml |
| 207 | +
|
| 208 | + # ... |
| 209 | + security: |
| 210 | + firewalls: |
| 211 | + secured_area: |
| 212 | + request_matcher: app.firewall.secured_area.request_matcher |
| 213 | + # ... |
| 214 | +
|
| 215 | + .. code-block:: xml |
| 216 | +
|
| 217 | + <!-- config/packages/security.xml --> |
| 218 | + <?xml version="1.0" encoding="UTF-8"?> |
| 219 | + <srv:container xmlns="http://symfony.com/schema/dic/security" |
| 220 | + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" |
| 221 | + xmlns:srv="http://symfony.com/schema/dic/services" |
| 222 | + xsi:schemaLocation="http://symfony.com/schema/dic/services |
| 223 | + https://symfony.com/schema/dic/services/services-1.0.xsd"> |
| 224 | +
|
| 225 | + <config> |
| 226 | + <!-- ... --> |
| 227 | + <firewall name="secured_area" request-matcher="app.firewall.secured_area.request_matcher"> |
| 228 | + <!-- ... --> |
| 229 | + </firewall> |
| 230 | + </config> |
| 231 | + </srv:container> |
| 232 | +
|
| 233 | + .. code-block:: php |
| 234 | +
|
| 235 | + // config/packages/security.php |
| 236 | +
|
| 237 | + // ... |
| 238 | + $container->loadFromExtension('security', [ |
| 239 | + 'firewalls' => [ |
| 240 | + 'secured_area' => [ |
| 241 | + 'request_matcher' => 'app.firewall.secured_area.request_matcher', |
| 242 | + // ... |
| 243 | + ], |
| 244 | + ], |
| 245 | + ]); |
0 commit comments