i'l try to use different routes in a resource and setup severall firewalls:
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
api_login:
pattern: ^/api/public/authentication
anonymous: true
provider: app_user_provider
stateless: true
json_login:
check_path: /api/public/authentication_token
username_path: email
password_path: password
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
# guard:
# authenticators:
# - lexik_jwt_authentication.jwt_token_authenticator
api_private:
pattern: ^/api/private
stateless: true
provider: app_user_provider
guard:
authenticators:
- lexik_jwt_authentication.jwt_token_authenticator
access_control:
- { path: ^/docs, roles: IS_AUTHENTICATED_ANONYMOUSLY } # Allows accessing the Swagger UI
- { path: ^/api/public/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/private/, roles: IS_AUTHENTICATED_FULLY }
And want in my User-Resource to use different route_prefixes. in my case, i wan't for the collectionOperation.get to match the public firewall.
try'd to set globally for this resource the /private prefix und want to overwrite in collectionOperation.get:
/**
* #ApiResource(
* routePrefix="/private",
* collectionOperations={
* "get"={
* "path"="/api/public/users",
* "security"="is_granted('IS_AUTHENTICATED_ANONYMOUSLY')"
* },
* }
* )
* #ORM\Entity(repositoryClass=UserRepository::class)
*/
but when i use path, the prefix is not overwritten:
/api/private/api/public/users
should i don't use "route_prefix" and define for each action a custom-path?
Full resource path is concatenation api_platform.prefix (config/routes/api_platform.yaml), routePrefix and path.
I think more flexible is open all API resources at firewall level and close some resources/operations via security annotations.
Related
In dbless mode on kong we can specify which routes to be added on plugin using this declration:
plugins:
- name: jwt
route: <route>
config:
secret_is_base64: false
But I need to specify which plugins this route is going to use with something like:
route:
- name: getUser
paths:
- /user
plugins: [<plugin1>, <plugin2>]
Any way to do this?
I dont want to update all the plugin declarations everytime I add a new API on a service.
You can declare your plugins like this:
services:
- connect_timeout: 60000
host: alb.host.dev
name: service1
routes:
- hosts:
- api.host.com
- www.host.com
name: my_host
methods:
- GET
paths:
- /user
plugins:
- name: plugin1
config:
redis_database: 0
redis_host: redis.dev
redis_password: null
redis_port: 6379
redis_timeout: 2000
- name: plugin2
config:
foo: 1
bar: 2
Our API has the following endpoints:
POST /users - create a user
GET /users/{userId} - get a particular user
GET /posts/{postId} - get a particular post
GET /posts/{postId}/users - get the users who contributed to this post
I have defined two services: users-service and posts-service. In these two services I define the lambdas like so. I'm using the serverless-domain-manager plugin to create base path mappings:
/users-service/serverless.yaml:
service: users-service
provider:
name: aws
runtime: nodejs10.x
stage: dev
plugins:
- serverless-domain-manager
custom:
customDomain:
domainName: 'serverlesstesting.example.com'
basePath: 'users'
stage: ${self:provider.stage}
createRoute53Record: true
functions:
create:
name: userCreate
handler: src/create.handler
events:
- http:
path: /
method: post
get:
name: userGet
handler: src/get.handler
events:
- http:
path: /{userId}
method: get
/rooms-service/serverless.yaml:
service: posts-service
provider:
name: aws
runtime: nodejs10.x
stage: dev
plugins:
- serverless-domain-manager
custom:
customDomain:
domainName: 'serverlesstesting.example.com'
basePath: 'posts'
stage: ${self:provider.stage}
createRoute53Record: true
functions:
get:
name: postsGet
handler: src/get.handler
events:
- http:
path: /{postId}
method: get
getUsersForPost:
handler: userGet ?
events: ??
The problem is that the GET /posts/{postId}/users actually calls the same userGet lambda from the users-service. But the source for that lambda lives in the users-service, not the posts-service.
So my question becomes:
How do I reference a service from another service using base path mappings? In other words, is it possible for the posts service to actually make a call to the parent custom domain and into the users base path mapping and its service?
Consider or refer below approach
https://serverless-stack.com/chapters/share-an-api-endpoint-between-services.html
I'm using spring cloud to manage my microservices.
For security reasons, for one specific microservice (name it ms_secure), I want to use custom route choose a specific microservice version depending on client IP.
My gateway config looks like this:
spring:
cloud:
gateway:
discovery:
locator:
enabled: true
routes:
- id: ms_secure_v1
uri: lb://ms_secure_v1
predicates:
- Path=/ms_secure/**
filters:
- RewritePath=/ms_secure/(?<segment>.*), /$\{segment}
- name: <my filter>
args:
xForwardedForHeaderName: X-Forwarded-For
hosts:
- <IP1>
- <IP2>
- id: ms_secure
uri: lb://ms_secure_v2
predicates:
- Path=/ms_secure/**
filters:
- RewritePath=/ms_secure/(?<segment>.*), /$\{segment}
- name: <my filter>
args:
xForwardedForHeaderName: X-Forwarded-For
hosts:
- <IP3>
- <IP4>
When when requesting /ms_secure:
IP1 and IP2 will be redirected to ms_secure_v1
IP3 and IP4 will be redirected to ms_secure_v2
My problem is that all my clients will also be able to access directly ms_secure_v1 or ms_secure_v2 by using the default routes:
http:///ms_secure_v1/...
http:///ms_secure_v2/...
I tried to disable these routes by using SetStatus GatewayFilter:
- id: setstatusstring_route
uri: lb://ms-gateway
predicates:
- Path=/ms_secure_v**
filters:
- SetStatus=403
But this route is not matched.
Is there a way to disable these default routes in spring gateway?
The following creates routes in gateway based on services registered:
spring:
cloud:
gateway:
discovery:
locator:
enabled: true
Set it to false (which is the default), if you don't want this.
I use JMSSecurityExtraBundle (1.6.1) with
Symfony 3.1
FOSUserBundle
JMSI18nRoutingBundle
JMSTranslationBundle
Everything works when I'm logged and try to access to login page. (403 denied exception)
But if i'm not authenticated and try to acces to login page, I have a loop of redirections.
misconfiguration ? or bug with JMSI18nRoutingBundle ? any idea ?
encoders:
FOS\UserBundle\Model\UserInterface: bcrypt
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
fos_userbundle:
id: fos_user.user_provider.username
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
pattern: ^/
form_login:
provider: fos_userbundle
csrf_token_generator: security.csrf.token_manager
login_path: fos_user_security_login
check_path: fos_user_security_check
oauth:
resource_owners:
facebook: "/connect/check-facebook"
google: "/connect/check-google"
twitter: "/connect/check-twitter"
login_path: fos_user_security_login
failure_path: /connect
oauth_user_provider:
service: customUserProvider
logout:
path: fos_user_security_logout
anonymous: true
access_control:
- { path: "^/[a-z]{2}_[A-Z]{2}/login$", role: "!is_Authenticated()" }
- { path: "^/[a-z]{2}_[A-Z]{2}/register", role: "!is_Authenticated()" }
- { path: "^/[a-z]{2}_[A-Z]{2}/resetting", role: "!is_Authenticated()" }
- { path: "^/[a-z]{2}_[A-Z]{2}/(account|compte){1}", role: IS_AUTHENTICATED_REMEMBERED }
- { path: "^/[a-z]{2}_[A-Z]{2}/(recipe/add|recette/ajouter){1}", role: IS_AUTHENTICATED_REMEMBERED }
- { path: "^/[a-z]{2}_[A-Z]{2}/(recipe/.*/edit|recette/.*/editer){1}", role: IS_AUTHENTICATED_REMEMBERED }
Thanks for all
is_Authenticated() Will not suffice in this case since an ANONYMOUS user is automatically assigned the IS_AUTHENTICATED_ANONYMOUSLY role and therefore is authenticated.
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, role: ROLE_USER }
Above a one of the possible solutions you could use to prevent the loop.
For authentication in my project I use 2 methods, form_login and Cas with a single Provider (user).
I set up login_form in security.yml and I created a Guard for Cas.
After many tests I managed to make the two authentications cohabit.
Now I start to put ajax in my pages and I am confronted with a new problem: all my ajax calls are redirected to the login page.
As all my ajax routes start with /api/, I tried to put in security.yml
- {path: ^/api, roles: IS_AUTHENTICATED_ANONYMOUSLY}
But I'm still redirected to the login page ...
I've look for an explanations since 3 days but I don't find yet.
my security.yml
...
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login_firewall:
pattern: ^/login$
anonymous: true
main:
pattern: ^/
anonymous: false
form_login:
provider: database
login_path: login
check_path: login_check
csrf_token_generator: security.csrf.token_manager
csrf_token_id: bien_authentifie
always_use_default_target_path: true
default_target_path: home
logout:
path: caslogout
target: https://xxx.xxxx.nnn/cas/logout
switch_user: true
guard:
provider: database
authenticators:
- xxx.cas_authenticator
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, roles: ROLE_ADMIN }
- { path: ^/, roles: ROLE_USER }
I've found :c)
It was so obvious, anonymous: false was the problem it has to be anonymous: ~ for
access_control work with IS_AUTHENTICATED_ANONYMOUSLY