Thursday, May 12, 2022

[FIXED] How can I create a "catch-all" firewall in Symfony?

      , ,      No comments   

Issue

We have a Symfony firewall which is only valid for a certain host. When users make requests to pages guarded by this firewall, we are catching the request and doing the right approval/deny/ask for login step.

It looks like this, roughly (some bits removed) and allows our-domain.com and direct subdomains to be used by this firewall.

        main:
            pattern:   ^/.*
            form_login: ...
            anonymous: true
            host: '^((([^.])+\.)?our-domain\.com)$'
            guard: ...

However, we are finding that a (cheeky) person is occasionally hitting one of these URLs but for a different host, e.g. an IP address or a different domain. As the firewall does not match this host, we are getting the following exception:

The token storage contains no authentication token. One possible reason may be that there is no firewall configured for this URL.

We are exploring different ways we could prevent requests on "not allowed" hosts, but we've as yet unable to find a suitable answer.

One option that seems right is a "deny all" or a "catch all else" type firewall - something where we can say "if you didn't match any of the other firewalls, then treat this as disallowed".

Is there a way to do this in Symfony?


Solution

If you execute bin/console debug:router you'll get an output similar to this:

Name              Method   Scheme   Host   Path
----------------  -------  -------  -----  --------------------------------------------
homepage          ANY      ANY      ANY    /
contact           GET      ANY      ANY    /contact

As you can see, by default all URIs are accesible on all hosts reacheable by your webserver configuration.

If you want to restrict them to a given host(s) and return a 404, you can use the host parameter in the route configuration.

To avoid having to add the parameter to each @Route annotation, you can configure it globally via yaml:

# config/routes/annotations.yaml
controllers:
    resource: '../../src/Controller/'
    type: annotation
    host: '^((([^.])+\.)?our-domain\.com)$'


Answered By - msg
Answer Checked By - David Goodson (PHPFixing Volunteer)

0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...