leaseweb/secure-controller-bundle

Provide '@Secure' annotation to secure actions in controllers by specifying required roles

LswSecureControllerBundle

Provide '@Secure' annotation to secure actions in controllers by specifying required roles., _(*1)

NB: Instead of this bundle you may want to use the @Security annotation provided by the SensioFrameworkExtraBundle (Symfony 2.4+ feature), _(*2)

NB: This bundle was created because the JMSSecurityExtraBundle is no longer provided in Symfony 2.3 (due to a license incompatibility) and this was the only feature we needed., _(*3)

, _(*4)

Requirements

• PHP 5.3
• Symfony 2.8

Installation

Installation is broken down in the following steps:, _(*5)

1. Download LswSecureControllerBundle using composer
2. Enable the Bundle

Step 1: Download LswSecureControllerBundle using composer

Add LswSecureControllerBundle in your composer.json:, _(*6)

{
    "require": {
        "leaseweb/secure-controller-bundle": "*",
        ...
    }
}

Now tell composer to download the bundle by running the command:, _(*7)

``` bash $ php composer.phar update leaseweb/secure-controller-bundle, <sub>(*8)</sub>

Composer will install the bundle to your project's `vendor/leaseweb` directory.

### Step 2: Enable the bundle

Enable the bundle in the kernel:

``` php
<?php
// app/AppKernel.php

public function registerBundles()
{
    $bundles = array(
        // ...
        new Lsw\SecureControllerBundle\LswSecureControllerBundle(),
    );
}

Usage

As an example we show how to use the '@Secure' annotation in the AcmeDemoBundle to secure the "hello world" page requiring the role "ROLE_TEST" to execute., <sub>(*9)</sub>

In src/Acme/DemoBundle/Controller/SecuredController.php you should add the following line on top, but under the namespace definition:, <sub>(*10)</sub>

``` php use Lsw\SecureControllerBundle\Annotation\Secure;, <sub>(*11)</sub>

To require the "ROLE_TEST" for "helloAction" in the "SecuredController" you should add the line
```@Secure(roles="ROLE_TEST")``` to the DocBlock of the "helloAction" like this: 

``` php
    /**
     * @Secure(roles="ROLE_TEST")
     * @Route("/hello", defaults={"name"="World"}),
     * @Route("/hello/{name}", name="_demo_secured_hello")
     * @Template()
     */
    public function helloAction($name)
    {
        return array('name' => $name);
    }

Or to the DocBlock of the controller like this:, <sub>(*12)</sub>

``` php /** * @Secure(roles="ROLE_TEST") */ class AdminController extends Controller { ... }, <sub>(*13)</sub>

If the user does not have the role the following error should appear when accessing the action:

Current user is not granted required role "ROLE_TEST". 403 Forbidden - AccessDeniedHttpException 1 linked Exception:, <sub>(*14)</sub>

If you put the "@Secure" annotation on an action that is not behind a firewall you get this error:

@Secure(...) annotation found without firewall on "helloAction" in ".../src/Acme/DemoBundle/Controller/DemoController.php" 500 Internal Server Error - AuthenticationCredentialsNotFoundException ```, <sub>(*15)</sub>

Note that you can configure the firewall in app/config/security.yml., <sub>(*16)</sub>

Credits

This would not have been possible without Matthias Noback his excellent posts:, <sub>(*17)</sub>

• Symfony2 & Doctrine Common: creating powerful annotations
• Prevent Controller Execution with Annotations and Return a Custom Response

Contributors

• GregoireHebert
• mevdschee

License

This bundle is under the MIT license., <sub>(*18)</sub>