Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork5.2k
[Security] Simplifying the DEV firewall's pattern#20794
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:6.4
Are you sure you want to change the base?
Uh oh!
There was an error while loading.Please reload this page.
Conversation
Page:https://symfony.com/doc/6.4/security.html#the-firewallReasons:* The inner parentheses `_(profiler|wdt)` are overly complicated* AssetMapper recommends to have all assets under `/asset/`:https://symfony.com/doc/6.4/frontend/asset_mapper.html
security.rst Outdated
| @@ -497,7 +497,7 @@ will be able to authenticate (e.g. login form, API token, etc). | |||
| # the order in which firewalls are defined is very important, as the | |||
| # request will be handled by the first firewall whose pattern matches | |||
| dev: | |||
| pattern: ^/(_(profiler|wdt)|css|images|js)/ | |||
| pattern: ^/(_profiler|_wdt|assets)/ | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
IIRC we have it this way to be in line with the recipe:https://github.com/symfony/recipes/blob/main/symfony/security-bundle/6.4/config/packages/security.yaml#L10
ThomasLandauerMar 22, 2025 • edited by javiereguiluz
Loading Uh oh!
There was an error while loading.Please reload this page.
edited by javiereguiluz
Uh oh!
There was an error while loading.Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Well, then let's change it there too :-)symfony/recipes#1395
The security config is not merged between environments. So you would have to repeat everything for the |
Is this true forall parts of the config? if ('test' ===$containerConfigurator->env()) {// ...} |
wouterj commentedMar 22, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
Not to all parts, and some parts behave differently. We don't merge configuration from About this PR, I think it makes sense, but let's wait for the recipe to be accepted as the documentation have to be in sync with the generated recipes. |
| @@ -497,7 +497,7 @@ will be able to authenticate (e.g. login form, API token, etc). | |||
| # the order in which firewalls are defined is very important, as the | |||
| # request will be handled by the first firewall whose pattern matches | |||
| dev: | |||
| pattern: ^/(_(profiler|wdt)|css|images|js)/ | |||
| pattern: ^/_profiler|_wdt|assets|build/ # `assets` is for AssetMapper; `build` is for Webpack Encore | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
| pattern: ^/_profiler|_wdt|assets|build/ # `assets` is for AssetMapper; `build` is for Webpack Encore | |
| pattern: ^/(_profiler|_wdt|assets|build)/ # `assets` is for AssetMapper; `build` is for Webpack Encore |
| @@ -529,8 +529,8 @@ will be able to authenticate (e.g. login form, API token, etc). | |||
| <!-- the order in which firewalls are defined is very important, as the | |||
| request will be handled by the first firewall whose pattern matches --> | |||
| <firewall name="dev" | |||
| pattern="^/(_(profiler|wdt)|css|images|js)/" | |||
| security="false"/> | |||
| pattern="^/_profiler|_wdt|assets|build/" | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
| pattern="^/_profiler|_wdt|assets|build/" | |
| pattern="^/(_profiler|_wdt|assets|build)/" |
| @@ -555,7 +555,7 @@ will be able to authenticate (e.g. login form, API token, etc). | |||
| // the order in which firewalls are defined is very important, as the | |||
| // request will be handled by the first firewall whose pattern matches | |||
| $security->firewall('dev') | |||
| ->pattern('^/(_(profiler|wdt)|css|images|js)/') | |||
| ->pattern('^/_profiler|_wdt|assets|build/') // `assets` is for AssetMapper; `build` is for Webpack Encore | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
| ->pattern('^/_profiler|_wdt|assets|build/') // `assets` is for AssetMapper; `build` is for Webpack Encore | |
| ->pattern('^/(_profiler|_wdt|assets|build)/') // `assets` is for AssetMapper; `build` is for Webpack Encore |
Uh oh!
There was an error while loading.Please reload this page.
Page:https://symfony.com/doc/6.4/security.html#the-firewall
Reasons:
_(profiler|wdt)are overly complicated/assets/:https://symfony.com/doc/6.4/frontend/asset_mapper.htmlQuestion:
Shouldn't this
devfirewall be loaded in DEV environment only? (i.e. under something likewhen@dev)