Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security][Firewall] Why firewalls are not merged as other security elements? #16517

Closed
davide-romanini opened this issue Nov 10, 2015 · 8 comments
Closed

[Security][Firewall] Why firewalls are not merged as other security elements? #16517

davide-romanini opened this issue Nov 10, 2015 · 8 comments
Labels
Feature Security

Comments

@davide-romanini
Copy link

I made a bundle to handle all the various user management needs common to several websites. The bundle contains a security boilerplate configuration ready to import. The problem is: with this setup I can only have a single main firewall. If I want to add a second one (for example a service that exposes an api with a different user provider) I obtain the message "You are not allowed to define new elements for path "security.firewalls". Please define all elements for this path in one config file".
What are the technical reasons for this choice? It should be farly simple to enable this feature.
@stof
Copy link
Member

stof commented Nov 10, 2015

this is because the order of firewalls is very important, as the first match defines the security rules being applied for the request. Merging entries from different files config files does not allow to control where new keys are inserted in the list. This is why we enforce defining all firewall names in the initial file (you can still redefine the config of an existing firewall entirely in a subsequent config file).

@sstok
Copy link
Contributor

sstok commented Nov 10, 2015

(you can still redefine the config of an existing firewall entirely in a subsequent config file).

oh :) now that's something new to me.

@linaori
Copy link
Contributor

linaori commented Nov 11, 2015

By using prepend extension, you can also pre-define rules already, which will make defining the config possible from other files (you can't merge but you can replace). We used this "hack" to make it possible to inject configuration for a user-provider like this in our shared login bundle.

@jakzal
Copy link
Contributor

jakzal commented Nov 11, 2015

@davide-romanini I don't think we need to do anything here. You can either try to use prepend in the extension, or force users to explicitly define the configuration (you could provide an example). In this case I don't think the later option is a bad idea.

@davide-romanini
Copy link
Author

Thanks for your suggestions. It would be nice to see a real example of the prepend strategy for this specific use case..

@davide-romanini
Copy link
Author

I tried the "prepend" approach, but with no success: I always incur in the same "You are not allowed to define new elements for path "security.firewalls"." error.

@javiereguiluz
Copy link
Member

Closing it as "fixed", because as @stof said, this is a well-known and needed Symfony behavior.

@lecneri lecneri mentioned this issue Jun 9, 2017
Closed
@clarkgunn
Copy link

@davide-romanini Did you find a workable solution?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@javiereguiluz @jakzal @stof @davide-romanini @sstok @linaori @xabbuh @clarkgunn