Symfony2 - FOSOauthServerBundle - Firewall configuration - Route Whitelist

Question

My goal is to have all routes under the firewall protected API except some. I have firewall configuration like this:

security:
    acl:
        connection: default

providers:
    fos_userbundle:
        id: fos_user.user_provider.username_email

encoders:
    FOS\UserBundle\Model\UserInterface: sha512

firewalls:
    oauth_token:
        pattern:    ^/oauth/v2/token
        security:   false

    oauth_authorize:
        pattern:    ^/oauth/v2/auth
        form_login:
            provider: fos_userbundle
            check_path: /oauth/v2/auth_login_check
            login_path: /oauth/v2/auth_login
        anonymous: true

    api:
        pattern:    ^/.*
        fos_oauth:  true
        stateless:  true
        anonymous: false

access_control:
    - { path: ^/, methods: [GET], roles: [ IS_AUTHENTICATED_ANONYMOUSLY ]}
    - { path: ^/doc, methods: [GET], roles: [ IS_AUTHENTICATED_ANONYMOUSLY ]}
    - { path: ^/resque, methods: [GET], roles: [ IS_AUTHENTICATED_ANONYMOUSLY ]}
    - { path: /monitor, methods: [GET], roles: [ IS_AUTHENTICATED_ANONYMOUSLY ]}
    - { path: /users, methods: [POST], roles: [ IS_AUTHENTICATED_ANONYMOUSLY ]}
    - { path: /users/me/registration/confirm, methods: [GET], roles: [ IS_AUTHENTICATED_ANONYMOUSLY ]}
    - { path: /users/me/email/confirm, methods: [GET], roles: [ IS_AUTHENTICATED_ANONYMOUSLY ]}
    - { path: /instants/.*, methods: [PUT], roles: [IS_AUTHENTICATED_ANONYMOUSLY ]}
    - { path: ^/_profiler, roles: [IS_AUTHENTICATED_ANONYMOUSLY]}
    - { path: ^/_wdt, roles: [IS_AUTHENTICATED_ANONYMOUSLY]}
    - { path: ^/_configurator, roles: [IS_AUTHENTICATED_ANONYMOUSLY]}
    - { path: /.*, roles: [ IS_AUTHENTICATED_FULLY ]}

But the routes /resque, /monitor and others are not reachable without access token. Am I doing something wrong in the configuration? Or is not possible to implement a route whitelist?

@Genar nope, but i solved my problem with integration of another OAuth grant_type (client_credentials). I don't have any public route in API but the clients is able to make requests to some endpoint without user authentication. — Angelo Giuffredi, Jul 22 '15 at 15:30
@AngeloGiuffredi I'm in the same situation, how did you disabled some endpoints/routes to the client_credentials grant_type? — sh4, Apr 21 '16 at 14:49

score 1 · Answer 1 · answered Apr 26 '20 at 16:56

you can use exceptions in your api's pattern:

api:
    pattern: ^/api(?!/doc)(?!/user/add)(?!/user/availability)   # All URLs are protected except api/doc ; api/user/add ; api/user/availability
    fos_oauth: true                                             # OAuth2 protected resource
    stateless: true                                             # Do no set session cookies
    anonymous: false                                            # Anonymous access is not allowed

With this you do not need to describe

access_control:
- ...

score 0 · Answer 2 · answered Mar 01 '17 at 08:41

I had same problem and I solved it by implementing another firewall. No this road OAuth token wont be checked. I put another regex routes in pattern. And don't forget to put this firewall in front of your api firewall since you have regex "match it all"

    api_anonym_area:
        pattern: (^/api/users/forgotten-password/.*)
        methods: [POST]
        security: false

Symfony2 - FOSOauthServerBundle - Firewall configuration - Route Whitelist

2 Answers2