Symfony Security FOSOAuthServerBundle public and private routes

Question

I am using the FOSOAuthBundle for my REST application

I would like most of my routes to require authorization however there are a few that should have public access

I have the following in my security.yml:

security:
encoders:
    FOS\UserBundle\Model\UserInterface: bcrypt

role_hierarchy:
    ROLE_ADMIN:       ROLE_USER
    ROLE_SUPER_ADMIN: ROLE_ADMIN

providers:
    fos_userbundle:
        id: fos_user.user_provider.username

firewalls:
    oauth_token:
        pattern:    ^/login
        security:   false

    api:
        pattern:    ^/
        fos_oauth:  true
        stateless:  true
        anonymous:  false

access_control:
    - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/, roles: [ IS_AUTHENTICATED_FULLY ] }

For example:

I have a Products Entity and Controller

I would like the CRUD operations to be private except for Read

So: POST, PUT, DELETE on /products(/:id) should be private while GET should be public.

I have tried adding the following to the access_control:

access_control:
    - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/products$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/, roles: [ IS_AUTHENTICATED_FULLY ] }

I thought this would open up all methods on /products but I get the error:

{
  "error": "access_denied",
  "error_description": "OAuth2 authentication required"
} 

I have many entities and controllers I am trying to apply this to.

How would I go about opening up specific routes (including the method requirements)?

Answer 1

You can make new firewall with regex and set it like this. You have to put it in front of your api firewall in order to match this regex first.

api_anonym_area:
      pattern: (^/api/products/.*)
      methods: [GET]
      security: false

Or you can make it

api_anonym_area:
      pattern: (^/api/products/.*)
      methods: [GET]
      anonymous: true

with

access_control:
- { path: ^/api/products/.*, role: IS_AUTHENTICATED_ANONYMOUSLY}

In first case you wont have token, in in second case you will have token (its good when you expect authenticated or anonymous users to come).

Answer 2

To achieve this, best way would be to code the permissions in the controllers, I don't think this is possible via the security.yml configuration.

You should remove:

 - { path: ^/, roles: [ IS_AUTHENTICATED_FULLY ] }

And manage permissions inside the controller actions, for example (taken from symfony documentation at http://symfony.com/doc/current/security.html)

public function updateProduct($id)
{
    // The second parameter is used to specify on what object the role is tested.
    $this->denyAccessUnlessGranted('ROLE_ADMIN', null, 'Unable to access this page!');

    // Old way :
    // if (false === $this->get('security.authorization_checker')->isGranted('ROLE_ADMIN')) {
    //     throw $this->createAccessDeniedException('Unable to access this page!');
    // }

    // ...
}