Php Symfony2安全性:限制除POST之外的所有方法的资源
我正在构建一个RESTAPI,我的问题是任何人都可以创建资源(应用程序),但一旦创建了资源(应用程序),它只能由具有给定角色的经过身份验证的用户检索和更新 问题是我在security.yml的防火墙部分保护了这个资源,但它不允许我为特定的http方法配置它 这是我的安全Php Symfony2安全性:限制除POST之外的所有方法的资源,php,security,symfony,Php,Security,Symfony,我正在构建一个RESTAPI,我的问题是任何人都可以创建资源(应用程序),但一旦创建了资源(应用程序),它只能由具有给定角色的经过身份验证的用户检索和更新 问题是我在security.yml的防火墙部分保护了这个资源,但它不允许我为特定的http方法配置它 这是我的安全 security: # http://symfony.com/doc/current/book/security.html#encoding-the-user-s-password encoders:
security:
# http://symfony.com/doc/current/book/security.html#encoding-the-user-s-password
encoders:
Symfony\Component\Security\Core\User\User: plaintext
OAuth2\ServerBundle\Entity\User:
algorithm: sha512
encode_as_base64: true
iterations: 5000
# http://symfony.com/doc/current/book/security.html#hierarchical-roles
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
# http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers
providers:
in_memory:
memory:
users:
user: { password: userpass, roles: [ 'ROLE_USER' ] }
admin: { password: adminpass, roles: [ 'ROLE_ADMIN' ] }
oauth2:
id: oauth2.user_provider
# the main part of the security, where you can set up firewalls
# for specific sections of your app
firewalls:
api:
pattern: ^/api/(agents|regions|applications)
stateless: true
simple_preauth:
authenticator: dnd_token_authenticator
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
# with these settings you can restrict or allow access for different parts
# of your application based on roles, ip, host or methods
# http://symfony.com/doc/current/cookbook/security/access_control.html
access_control:
#- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
#- { path: ^/api/applications, roles: IS_AUTHENTICATED_ANONYMOUSLY, methods: POST }
yaml中可以有两个具有相同模式但方法不同的部分。一个用于读api,一个用于写api。您可以根据需要控制每个部分的安全性