Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit203a258

Browse files
committed
Merge branch '4.4' into 5.0
* 4.4: [#13171] Some small rewordings [Security] Explain lazy anonymous mode
2 parents11c6c01 +b64dd02 commit203a258

File tree

2 files changed

+24
-9
lines changed

2 files changed

+24
-9
lines changed

‎security.rst‎

Lines changed: 22 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -289,18 +289,33 @@ accidentally block Symfony's dev tools - which live under URLs like ``/_profiler
289289
and ``/_wdt``.
290290

291291
All *real* URLs are handled by the ``main`` firewall (no ``pattern`` key means
292-
it matches *all* URLs). But this does *not* mean that every URL requires authentication.
293-
Nope, thanks to the ``anonymous`` key, this firewall *is* accessible anonymously.
292+
it matches *all* URLs). A firewall can have many modes of authentication,
293+
in other words many ways to ask the question "Who are you?". Often, the
294+
user is unknown (i.e. not logged in) when they first visit your website. The
295+
``anonymous`` mode, if enabled, is used for these requests.
294296

295-
In fact, if you go to the homepage right now, you *will* have access and you'll see
296-
that you're "authenticated" as ``anon.``. Don't be fooled by the "Yes" next to
297-
Authenticated. The firewall verified that it does not know your identity, and so,
298-
you are anonymous:
297+
In fact, if you go to the homepage right now, you *will* have access and you'll
298+
see that you're "authenticated" as ``anon.``. The firewall verified that it
299+
does not know your identity, and so, you are anonymous:
299300

300301
..image::/_images/security/anonymous_wdt.png
301302
:align:center
302303

303-
You'll learn later how to deny access to certain URLs or controllers.
304+
It means any request can have an anonymous token to access some resource,
305+
while some actions (i.e. some pages or buttons) can still require specific
306+
privileges. A user can then access a form login without being authenticated
307+
as a unique user (otherwise an infinite redirection loop would happen
308+
asking the user to authenticate while trying to doing so).
309+
310+
You'll learn later how to deny access to certain URLs, controllers, or part of
311+
templates.
312+
313+
..tip::
314+
315+
The ``lazy`` anonymous mode prevents the session from being started if
316+
there is no need for authorization (i.e. explicit check for a user
317+
privilege). This is important to keep requests cacheable (see
318+
:doc:`/http_cache`).
304319

305320
..note::
306321

‎security/form_login.rst‎

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,7 @@ First, enable ``form_login`` under your firewall:
4545
4646
<config>
4747
<firewallname="main">
48-
<anonymous/>
48+
<anonymouslazy="true"/>
4949
<form-loginlogin-path="login"check-path="login"/>
5050
</firewall>
5151
</config>
@@ -57,7 +57,7 @@ First, enable ``form_login`` under your firewall:
5757
$container->loadFromExtension('security', [
5858
'firewalls' => [
5959
'main' => [
60-
'anonymous' =>null,
60+
'anonymous' =>'lazy',
6161
'form_login' => [
6262
'login_path' => 'login',
6363
'check_path' => 'login',

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp