I'm attempting to use Silex to secure routes on an internal system I'm developing. It's perhaps a little special situation, where I have an interface (accessible at /admin) which, when logged in, makes calls to /api/v1/* endpoints. Two endpoints need to be completely open, with no auth checking. These two endpoints are called periodically by a third party system (also internal)
I have the following in my security.firewalls config:
[
'secured' => [
'pattern' => '^/admin',
'http' => false,
'form' => [
'login_path' => '/login',
'check_path' => '/admin/login_check',
'default_target_path' => '/admin'
],
'logout' => [
'logout_path' => '/admin/logout',
'invalidate_session' => true,
'target_url' => '/login'
],
'users' => new UserProvider,
],
'api_v1_details' => [
'pattern' => '^/api/v1/details',
'anonymous' => true,
],
'api_v1_failures' => [
'pattern' => '^/api/v1/failures',
'anonymous' => true,
],
'api_v1' => [
'pattern' => '^/api/v1/',
'anonymous' => false,
'stateless' => false,
],
];
In my security.access_rules, I have:
[
['^/admin', 'ROLE_ADMIN'],
['^/api/v1', 'ROLE_ADMIN'],
]
I can successfully log in, and in order to access any of the /admin/* pages, I have to be authenticated, so I know the firewall setup is at least partially working. However, AJAX requests to the /api/v1/* endpoints from /admin/* pages, even though they contain the session cookie, are not authenticated, and are 302'd to /login.
If I try to access any /api/v1/* endpoints while not authenticated (in my case, through PostMan), I also get a 302 to the login page.
If I remove the ['^/api/v1', 'ROLE_ADMIN'], access rule, and try again, then it will correctly firewall the endpoints, with the two open endpoints returning the correct response, and the remaining endpoints returning a 302.
However, under all circumstances, all AJAX requests from authenticated /admin/* pages return a 302.
My desired situation is that when I'm authenticated via logging in in the interface, all AJAX requests to /api/v1/* endpoints from /admin/* pages will also be authenticated, and when I'm not authenticated, only the two endpoints /api/v1/details and /api/v1/failures are accessible, and all others fail somehow (preferably with a 401, even more preferably with a JSON response)
It's a sytem for internal use only, isn't in public production, and there are only a couple of people that use the system, so it doesn't necessarily need to adhere to all the usual guidelines with the correct status codes, etc.
Hope someone can point me in the right direction!
Symfony Security component, isolates each firewall by default, i.e, if you are authenticated against one firewall you are not to all of them!
I've found that you can set the same context to all firewalls and then authenticate winthin all at the same time.
If you've landed here, check this little issue with context setting in Silex (thanks for the notice @AndrewPlank)
Also, be warned of the Silex EOL