Search code examples
phpsymfonysymfony4symfony-security

How to override Symfony's security for a specific environment?

I'm trying to configure Symfony's security component so that in a specific environment (travis) there is no security enabled for any endpoints.

We'll be using the Cypress testing suite to perform integration tests during the travis build, and I don't want security there. In my config/packages/security.yaml file I have the following:

security:
    encoders:
        Symfony\Component\Security\Core\User\User:
            algorithm: bcrypt
            cost: 12
    providers:
        in_memory:
            memory:
                users:
                    nets:
                        password: foo
                        roles: ['ROLE_NETS']
    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        main:
            http_basic: ~
    access_control:
        - { path: ^/nets, roles: [ROLE_ADMIN, ROLE_NETS], requires_channel: https }

which works as expected. The appropriate ^/nets endpoints are only available if I provide the correct HTTP basic auth credentials.

In my config/packages/travis/security.yaml file I have:

security:
    firewalls:
        main:
            pattern: ^/
            http_basic: false
            security: false

which, as far as I understand it, should turn off all security for all endpoints when in the travis environment. But it doesn't, I keep getting a 401. When I run bin/console -e travis debug:config security I get the following:

security:
    [...]
    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
            methods: {  }
            user_checker: security.user_checker
            stateless: false
            logout_on_user_change: true
        main:
            pattern: ^/
            security: false
            methods: {  }
            user_checker: security.user_checker
            stateless: false
            logout_on_user_change: true
    [...]

which to me indicates that security should be inactive for all routes.

Solution

  • By disabling the firewalls, authentication is disabled, so users cannot authenticate with your app.

    But authorization (security.access_control) is still active. So users still need to get a role to access these paths, and have no way to acquire the role.

    You would need to define different access_control rules for each environment, on top of changing firewall settings.

    You cannot override security.access_control settings in different files You would get an error saying this if you attempt to do so:

    Configuration path "security.access_control" cannot be overwritten. You have to define all options for this path, and any of its sub-paths in one configuration section.

    So you'll probably need to have different security.yaml files for each environment, defining all the necessary access control rules.