[FLOW3-general] How to secure a controller?

Qbus | Axel Wüstemann awu at qbus.de
Fri Jan 11 09:21:27 CET 2013 

Thank you Steffen,

of course I read the documentation. Mayby the authors could decide to 
illustrate at firts the most simple solution case and go then further to 
all possible details... so the documentation might become more 
understandable.

I will write a little tutorial, if I've got to run this.

What you wrote was a bit my assumtion, that this could be the solution. 
But by this, my security depends on the existence of the policy.yaml 
file! Why then encrypted passwords in the database an all that stuff, if 
it would be enough to drop the policy.yaml to kick off all my security 
stuff?

----

'method(Vendor\Package\Controller\StandardController->.*Action())'

What does this realy mean?

Do I need write this for each controller? All of my controller are 
behind of the login. Is there a or simple solution?

Thank you for further assistance!


Am 10.01.2013 22:15, schrieb Steffen Wickham:
> Hi Axel,
>
> it's not enough to define roles. You also have to define resources and
> acls in your Policy.yaml as well.
> Resources are name-value-pairs where the value is a pointcut expression,
> that's where you define the controller. In the acls part you set, that
> role "Administrator" has access to a named resource.
>
> Your Policy.yaml have to look like this:
> resources:
>    entities: []
>    methods:
>      StandardController:
> 'method(Vendor\Package\Controller\StandardController->.*Action())'
>
> # The security policy roles configuration
> roles:
>    Administrator: []
>
> # The security policy acls configuration connects the resources with the
> roles by assigning
> # privileges. Here is an example configuration array:
> acls:
>    Administrator:
>      methods:
>        StandardController: GRANT
>
> With these settings, you get redirected to the login page when there is
> no authenticated token set.
> Please have a look at further documentation:
> http://flow.typo3.org/documentation/guide/partiii/security.html#policies-aka-access-control-lists-acls
>
> Best regards
> Steffen
>
>
>
> Am 10.01.2013 21:46, schrieb Qbus | Axel Wüstemann:
>> Hello,
>>
>> I simply want to redirect from the standard controller to the login
>> controller if I'm not yet logged in. How to achive that? Or more
>> generaly: How to secure a controller?
>>
>> What I did:
>>
>> 1. I made the appropriate settings
>>
>>      security:
>>        authentication:
>>          providers:
>>            DefaultProvider:
>>              provider: PersistedUsernamePasswordProvider
>>              requestPatterns:
>>                controllerObjectName: QBUS\BestDesQ\Controller\.*
>>              entryPoint: 'WebRedirect'
>>              entryPointOptions:
>>                uri: login
>>
>> 2. I bult a policy
>>
>> roles:
>>    Administrator: []
>>
>> If I call my standard controller by http:://bestdesq it shows the
>> index action. Instead I would exepect it redirects to
>> http:://bestdesq/login
>>
>> What code I have probably additional add to my controller(s)?
>>
>> Thank you
>> Axel
>> _______________________________________________
>> FLOW3-general mailing list
>> FLOW3-general at lists.typo3.org
>> http://lists.typo3.org/cgi-bin/mailman/listinfo/flow3-general
>
> _______________________________________________
> FLOW3-general mailing list
> FLOW3-general at lists.typo3.org
> http://lists.typo3.org/cgi-bin/mailman/listinfo/flow3-general
>


-- 
Qbus Werbeagentur GmbH

18055 Rostock, Heiligengeisthof 5
Tel:   0381 4 61 39 - 10 | Fax: - 22
21029 Hamburg, Chrysanderstraße 69A
Tel:   040 60 94 59 75
Mobil: 0179 46 455 46

www.xing.com/profile/Axel_Wuestemann
www.issuu.com/QbusAgentur/docs/qbus-referenzen?mode=embed

Handelsregister: HRB 11218 beim Amtsgericht Rostock
Sitz der Gesellschaft: Hansestadt Rostock
Geschäftsführer: Dipl.-Ing. Axel Wüstemann

www.qbus.de | www.qbus.de/qblog
www.facebook.com/QbusAgentur

More information about the Flow mailing list