2

I have an API that is in production being used by a single web site. We wish to open this up to other applications. The API is REST and uses Symfony 2. I have been looking at various security strategies and tested some out but am really stuck on how to meet the requirements of authenticating both the application and the user.

I have tried WSSE which works well, but I can not seem to specify two user providers.

The rules are: - All routes must have an authenticated application biut only some require an authenticated user. The ROLE is then generated based on the application and users credentials.

If anyone has some good ideas on the best way to support this it would be much appreciated. I am still developing test cases and so am happy to incorporate some helpful bundles if they exist.

caxton
  • 203
  • 1
  • 3
  • 11
  • What do you mean by "authenticate the application"? Are you trying to control the client in some way? If this application is running on the clients machine (or the attacker's machine) then its totally impossible. Further more i am very concerned that you think it might be possible as this violates the foundation of modern security. – rook Nov 20 '12 at 00:00

1 Answers1

0

Take a look at the documentation on security, especially the chain_provider stuff: http://symfony.com/doc/current/book/security.html#using-multiple-user-providers. This should give you exactly what you need!

Rick Pastoor
  • 3,625
  • 1
  • 21
  • 24