[FLOW3-general] How to secure a controller?
Mark Kuiphuis
typo3 at markyourweb.com
Tue Jan 29 01:29:08 CET 2013
I had similar issues when I tried to create a proper redirect to the
login form yesterday. I'm still facing another issue, is that the form
action of the submit form automatically seems to add something in front
of the URL. But first let me share my code. With this code I got the
redirect to work (which is far from complete or probably even the best
method, but I'm still learning as well). I copied and paste my code
which is in between the ###. (Thunderbird is automatically wrapping
lines.) Hopefully you will be able to figure it out which lines are wrapped.
/Configuration/Settings.yaml
###
TYPO3:
Flow:
security:
authentication:
authenticationStrategy: oneToken
providers:
DefaultProvider:
provider: 'PersistedUsernamePasswordProvider'
entryPoint: 'WebRedirect'
entryPointOptions:
uri: 'admin/authentication'
###
/Configuration/Policy.yaml
###
resources:
entities: []
methods:
StandardController:
'method(Vendor\Package\Controller\StandardController->.*Action())'
DashboardController:
'method(Vendor\Package\Controller\DashboardController->.*Action())'
roles:
Administrator: []
acls:
Administrator:
methods:
StandardController: GRANT
DashboardController: GRANT
###
/Configuration/Routes.yaml
###
-
name: 'Application Index'
uriPattern: ''
defaults:
'@package': 'Vendor.Package'
'@controller': 'Standard'
'@action': 'index'
'@format': 'html'
-
name: 'Admin'
uriPattern: 'admin'
defaults:
'@package': 'Vendor.Package'
'@controller': 'Dashboard'
'@action': 'index'
-
name: 'Admin Authentication'
uriPattern: 'admin/authentication(/{@action})'
defaults:
'@package': 'Vendor.Package'
'@controller': 'Login'
'@action': 'index'
##
# Flow subroutes
#
-
name: 'Flow'
uriPattern: '<FlowSubroutes>'
defaults:
'@format': 'html'
subRoutes:
FlowSubroutes:
package: TYPO3.Flow
###
I have NO reference in my templates, layouts, etc. which checks if the
user is authenticated (<f:security.ifAuthenticated> and the redirect
still seems to work, so that's fine.
But the problem I am facing is when I want to submit the form.
As the redirect takes place to the login form, the URL now has become:
http://www.domain.com/admin/authentication
The form action, for whatever reason, is:
<form method="post" action="admin/authentication/authenticate">
Thus, submitting this form (I think I copied the form from the
TYPO3.Blog package) the request has become:
http://www.domain.com/admin/admin/authentication/authenticate
I don't understand why this form action adds the whole string again.
There must of course be a logical explanation why, but yet I can't seem
to find it
Cheers, Mark
On 27/01/13 11:58 PM, Qbus | Axel Wüstemann wrote:
> Because I'm working on a learning project, I did not have time to bring
> the things further. Now I tried again, but it does not work.
>
> Remember: I want a simple login to an application, which functions are
> completely behind the login. So I need a rool, to protect all
> controllers but not the LoginControllers.
>
> I now tried the following. According to
> http://www.php-resource.de/tutorials/tutorial,10,Regulaere-Ausdruecke.htm
>
> "(?<!Text1)text2" meens "contains text2, if text 1 not occures".
>
> So this should properly mean "all Controllers wich not start with
> 'Login' and all actions wich not start with 'initialize'".
>
> As I said, it does not work, no redirect to the LoginController occures,
> if I call the StandardController.
>
> resources:
> entities: []
> methods:
> SecuredArea:
> 'method(QBUS\BestDesQ\Controller\(?<!Login)Controller->(?<!initialize).*Action())'
>
>
> roles:
> Administrator: []
>
> acls:
> Administrator:
> methods:
> SecuredArea: GRANT
>
> It would be great, if someone could assis me further to get this tu run.
>
> Regards
> Axel
More information about the Flow
mailing list