Best Practice to secure HTTP

[alessandro-podo]

Hello,

https://github.com/Guikingone/SchedulerBundle/blob/main/doc/http.md

If I try to secure the Path with the security.yaml access_controll it doesn't work.
What is the recommended way?

Thanks

[Guikingone]

Hi @alessandro-podo 👋🏻

Could you be more specific about the configuration that you're using in the access_control? 🤔

[alessandro-podo]

sorry for the late reply. I have not seen the notification.

security:
    access_control:
        - { path: ^/datenschutz, roles: PUBLIC_ACCESS }
        - { path: ^/login, roles: PUBLIC_ACCESS }
        - { path: ^/logout, roles: PUBLIC_ACCESS }
        - { path: ^/s/, roles: PUBLIC_ACCESS }
        - { path: ^/admin, roles: ROLE_ADMIN, ips: '%env(ADMIN_IPS)%' }
        - { path: ^/admin, roles: ROLE_NO_ACCESS }
        - { path: ^/_profiler, roles: ROLE_ADMIN, ips: '%env(ADMIN_IPS)%' }
        - { path: ^/_profiler, roles: ROLE_NO_ACCESS }
        - { path: ^/api, roles: ROLE_API}        
        - { path: ^/_tasks, roles: ROLE_NO_ACCESS}
        - { path: ^/*, roles: ROLE_USER }

When i open >url</_tasks?name=CacheReload it works

i use a Subscriber with a higher priority and block the request.

i use sf6.0.4

[Guikingone]

Hi @alessandro-podo 👋🏻

So, you're saying:

If I try to secure the Path with the security.yaml access_controll it doesn't work.

Then:

When i open >url</_tasks?name=CacheReload it works

But regarding your configuration file:

security:
    access_control:
        # ...

        - { path: ^/_tasks, roles: ROLE_NO_ACCESS}

        # ...

It seems that you're requiring ROLE_NO_ACCESS role to access the /_tasks path, does the user that request this URL fully logged with this role? 🤔

[alessandro-podo]

yes the user is full login, but without that role
with /admin it works

[Guikingone]

yes the user is full login, but without that role

Does the role_hierarchy defines the role with this one as a "sub role"?

with /admin it works

Don't get the point here 🤔

If I'm right, you're saying that even when requesting the URL without being logged, it works?

[alessandro-podo]

the Json Response from TaskSubscriber i added the current User ($requestEvent->getRequest()->getUser()) and this is null.
I can try to make and repo with that problem so i can show that.

[Guikingone]

the Json Response from TaskSubscriber i added the current User ($requestEvent->getRequest()->getUser()) and this is null.

So the current user is null, seems strange, does the user correctly logged? Does it have every required roles?

I can try to make and repo with that problem so i can show that.

Could be easier to debug, thanks 🙂