Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authenticated anonymously not work #60

Closed
JellyBellyDev opened this issue Apr 9, 2015 · 6 comments
Closed

Authenticated anonymously not work #60

JellyBellyDev opened this issue Apr 9, 2015 · 6 comments

Comments

@JellyBellyDev
Copy link

Hi man,
good work with this bundle. I cloned and try the sandbox: https://github.com/slashfan/LexikJWTAuthenticationBundleSandbox
but i don't understand why if i change access control setting:

access_control:
    - { path: ^/api/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/api/pages, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/api, roles: IS_AUTHENTICATED_FULLY }

and i go to http://localhost:8000/angular-demo/index.html
I continue to see the authentication request.

P.S. in PageController.php (getPagesAction function) i comment these lines:

if (!$this->get('security.context')->isGranted('ROLE_USER')) {
    throw new AccessDeniedException();
}

Thanks
@slashfan
Copy link
Contributor

slashfan commented Apr 9, 2015

Hi,

Have you tried adding anonymous: true to the api firewall configuration ? Like this :

api:
    pattern:   ^/api
    stateless: true
    anonymous: true
    lexik_jwt: 
        # ... rest of your config

It worked for me in the sandbox.

@JellyBellyDev
Copy link
Author

Well work!
However if i add another controller without it putting in access_control, so it have the routes protected.
If i call this controller with angular i receive 403 and not 401, and so i don't show modal login.
I receive 403 also without check isGranted('ROLE_USER') in action. Instead I should receive 401 (imho)
In a nutshell, what I would do, is to have some public action and some protected action.
If i logged as ROLE_USER it's right receive a 403 if i call an action with check isGranted('ROLE_ADMIN'), but in all other cases I should always receive 401.
It's bad?
Thanks

@slashfan
Copy link
Contributor

Hi,

Sorry I didn't really understand. But I think the problem you have is more related to your app and its security design than this bundle.

The bundle only returns a 401 if it finds a json web token in the request and cannot match it against a user. Everything else is handled by symfony and your own config / logic.

@JellyBellyDev
Copy link
Author

Thank you for your response.
Sorry if I can not explain.
So you say that if I add a new controller to the sandbox is normal that I get 403 instead 401?

@slashfan
Copy link
Contributor

You should read this : 401 is for authentication (which the job of this bundle) and 403 is for authorization (which is handled by symfony roles, security voters and access control) either through the access_control in your security configuration or directly from your controllers, in the @secure annotation or the calls to the isGranted() method.

Maybe you should try to make your app security system work with a standard form login, and when everything works fine then switch to JWT. But first make sure your roles, permissions and access control are properly set.

@JellyBellyDev
Copy link
Author

Ok! Now it's all clear!
Thank you so much Nicolas!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JellyBellyDev @slashfan