[FLOW3-general] How to secure a controller?

Qbus | Axel Wüstemann awu at qbus.de
Sun Jan 13 12:10:15 CET 2013 

Thank you Steffen. Unfortunately your proposal ends up with
Fehler 310 (net::ERR_TOO_MANY_REDIRECTS): Zu viele Umleitungen.
While the first proposal works...
>
> But as mentioned in the documentation, the prefered way is to use the
> Policy.yaml. There are no security concerns about it as its not
> accessable through the browser and can't be modified by another user.
> So you should have a look in the AOP part of the documentation. There is
> an excellent explanation of the pointcut syntax which is used by
> Policy.yaml to define method calls. To achieve your desired security
> level you just have to define only two resources and two acls as follows
> (as well not tested by me):
>
> resources:
>    entities: []
>    methods:
>      Login: 'method(VENDOR\PACKAGE\Controller\LoginController->.*Action())'
>      SecuredArea: 'method(VENDOR\PACKAGE\Controller\.*->.*Action())'
>
> roles:
>    Administrator: []
>
> acls:
>    Everybody:
>      methods:
>        Login: GRANT
>
>    Administrator:
>      methods:
>        SecuredArea: GRANT
>
>
> So everybody is allowed to perform actions on your LoginController
> action methods (named "Login" in resource part) but the access to all
> other controller calls (defined as SecuredArea) without authentication
> (and without Administrator role) would be restricted. Don't worry about
> the "missing" Login definition for Administrator role, its inherited
> from the Everybody role.
>
> Greetings
> Steffen
>
>
>
>
>
> Am 11.01.13 09:21, schrieb Qbus | Axel Wüstemann:
>> Thank you Steffen,
>>
>> of course I read the documentation. Mayby the authors could decide to
>> illustrate at firts the most simple solution case and go then further
>> to all possible details... so the documentation might become more
>> understandable.
>>
>> I will write a little tutorial, if I've got to run this.
>>
>> What you wrote was a bit my assumtion, that this could be the
>> solution. But by this, my security depends on the existence of the
>> policy.yaml file! Why then encrypted passwords in the database an all
>> that stuff, if it would be enough to drop the policy.yaml to kick off
>> all my security stuff?
>>
>> ----
>>
>> 'method(Vendor\Package\Controller\StandardController->.*Action())'
>>
>> What does this realy mean?
>>
>> Do I need write this for each controller? All of my controller are
>> behind of the login. Is there a or simple solution?
>>
>> Thank you for further assistance!
>>
>>
>> Am 10.01.2013 22:15, schrieb Steffen Wickham:
>>> Hi Axel,
>>>
>>> it's not enough to define roles. You also have to define resources and
>>> acls in your Policy.yaml as well.
>>> Resources are name-value-pairs where the value is a pointcut expression,
>>> that's where you define the controller. In the acls part you set, that
>>> role "Administrator" has access to a named resource.
>>>
>>> Your Policy.yaml have to look like this:
>>> resources:
>>>     entities: []
>>>     methods:
>>>       StandardController:
>>> 'method(Vendor\Package\Controller\StandardController->.*Action())'
>>>
>>> # The security policy roles configuration
>>> roles:
>>>     Administrator: []
>>>
>>> # The security policy acls configuration connects the resources with the
>>> roles by assigning
>>> # privileges. Here is an example configuration array:
>>> acls:
>>>     Administrator:
>>>       methods:
>>>         StandardController: GRANT
>>>
>>> With these settings, you get redirected to the login page when there is
>>> no authenticated token set.
>>> Please have a look at further documentation:
>>> http://flow.typo3.org/documentation/guide/partiii/security.html#policies-aka-access-control-lists-acls
>>>
>>>
>>> Best regards
>>> Steffen
>>>
>>>
>>>
>>> Am 10.01.2013 21:46, schrieb Qbus | Axel Wüstemann:
>>>> Hello,
>>>>
>>>> I simply want to redirect from the standard controller to the login
>>>> controller if I'm not yet logged in. How to achive that? Or more
>>>> generaly: How to secure a controller?
>>>>
>>>> What I did:
>>>>
>>>> 1. I made the appropriate settings
>>>>
>>>>       security:
>>>>         authentication:
>>>>           providers:
>>>>             DefaultProvider:
>>>>               provider: PersistedUsernamePasswordProvider
>>>>               requestPatterns:
>>>>                 controllerObjectName: QBUS\BestDesQ\Controller\.*
>>>>               entryPoint: 'WebRedirect'
>>>>               entryPointOptions:
>>>>                 uri: login
>>>>
>>>> 2. I bult a policy
>>>>
>>>> roles:
>>>>     Administrator: []
>>>>
>>>> If I call my standard controller by http:://bestdesq it shows the
>>>> index action. Instead I would exepect it redirects to
>>>> http:://bestdesq/login
>>>>
>>>> What code I have probably additional add to my controller(s)?
>>>>
>>>> Thank you
>>>> Axel
>>>> _______________________________________________
>>>> FLOW3-general mailing list
>>>> FLOW3-general at lists.typo3.org
>>>> http://lists.typo3.org/cgi-bin/mailman/listinfo/flow3-general
>>>
>>> _______________________________________________
>>> FLOW3-general mailing list
>>> FLOW3-general at lists.typo3.org
>>> http://lists.typo3.org/cgi-bin/mailman/listinfo/flow3-general
>>>
>>
>>
>
> _______________________________________________
> FLOW3-general mailing list
> FLOW3-general at lists.typo3.org
> http://lists.typo3.org/cgi-bin/mailman/listinfo/flow3-general
>


-- 
Qbus Werbeagentur GmbH

18055 Rostock, Heiligengeisthof 5
Tel:   0381 4 61 39 - 10 | Fax: - 22
21029 Hamburg, Chrysanderstraße 69A
Tel:   040 60 94 59 75
Mobil: 0179 46 455 46

www.xing.com/profile/Axel_Wuestemann
www.issuu.com/QbusAgentur/docs/qbus-referenzen?mode=embed

Handelsregister: HRB 11218 beim Amtsgericht Rostock
Sitz der Gesellschaft: Hansestadt Rostock
Geschäftsführer: Dipl.-Ing. Axel Wüstemann

www.qbus.de | www.qbus.de/qblog
www.facebook.com/QbusAgentur

More information about the Flow mailing list