2

There was the same question 1 year ago but provided solution is not correct and doesn't work.

I have FOSUSerBUndle + FOSRestBundle + FOSOauthServerBundle and have some resource controllers under /api path that want to protect.

I have usual users that use this API from Backbone.js frontend, and now I want to use this API for mobile application, so I need a access_token logic.

It works very well when I use /api/resource?access_token=TOKEN url, but it doesn't work when I'm logged in with usual web login form as a User. Symfony throws a 401 error.

Here is a security.yml :

security:
    encoders:
        FOS\UserBundle\Model\UserInterface: sha512

    role_hierarchy:
        ROLE_ADMIN:      ROLE_USER
        ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]

    providers:
        fos_userbundle:
            id: fos_user.user_provider.username_email

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        oauth_token:
            pattern:   ^/oauth/v2/token
            security:  false

        api:
            pattern:   ^/api
            fos_oauth: true
            stateless: true

        secured_area:
            pattern: ^/
            oauth:
                failure_path: /connect
                login_path: /login
                check_path: /connect
                provider: fos_userbundle
                resource_owners:
                   #github:           "/secure_area/login/check-github"
                    #twitter:          "/secure_area/login/check-twitter"
                    facebook:         /login/check-facebook
                    #google:           "/secure_area/login/check-google"
                oauth_user_provider:
                    service: hwi_oauth.user.provider.fosub_bridge

            form_login:
                provider: fos_userbundle
                csrf_provider: form.csrf_provider
                check_path: /login_check
                login_path: /login
                default_target_path: /home #default location to redirect after successful login

            anonymous:   true
            logout:
                path:          /logout
                target:        /login #where to go after logout

        main:
            pattern: ^/
            form_login:
                login_path: fos_user_security_login
                provider: fos_userbundle
                success_handler: authentication_handler
                failure_handler: authentication_handler
                csrf_provider: form.csrf_provider
            logout:      true
            anonymous:   true

    access_control:
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/admin/, role: ROLE_ADMIN }
        - { path ^/api, role: IS_AUTHENTICATED_FULLY }
        - { path ^/home, role: ROLE_USER }

Is it possible to handle it properly for both website and mobile app? Please help with advice.

Community
  • 1
  • 1
borN_free
  • 1,385
  • 11
  • 19
  • There is an updated **correct** answer to related question. Please use it as a solution http://stackoverflow.com/a/22964736/2579875 – borN_free Oct 12 '15 at 21:22

0 Answers0