【发布时间】:2021-10-19 17:48:55
【问题描述】:
我试图只允许注册(POST 方法)新用户(路由:/api/users),我尝试遵循文档(https://symfony.com/doc/current/security/firewall_restriction.html#restricting-by-http-methods),但是当我使用 Postman 进行测试时,我仍然管理使用 GET 方法查看所有用户。 security.yaml 文件:
security:
# https://symfony.com/doc/current/security/authenticator_manager.html
enable_authenticator_manager: true
# https://symfony.com/doc/current/security.html#c-hashing-passwords
password_hashers:
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
App\Entity\User:
algorithm: auto
# https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
providers:
# used to reload user from session & other features (e.g. switch_user)
app_user_provider:
entity:
class: App\Entity\User
property: email
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
registration:
pattern: ^/api/users
stateless: true
methods: [POST]
login:
pattern: ^/api/login
stateless: true
json_login:
check_path: /api/login_check
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
api:
pattern: ^/api
stateless: true
jwt: ~
main:
lazy: true
provider: app_user_provider
# activate different ways to authenticate
# https://symfony.com/doc/current/security.html#firewalls-authentication
# https://symfony.com/doc/current/security/impersonating_user.html
# switch_user: true
# Easy way to control access for large sections of your site
# Note: Only the *first* access control that matches will be used
# access_control:
# - { path: ^/api/login, roles: PUBLIC_ACCESS }
# - { path: ^/api, roles: IS_AUTHENTICATED_FULLY }
短版:
firewalls:
registration:
pattern: ^/api/users
stateless: true
methods: [POST]
尝试使用 GET 方法访问 /api/users 时应该看到代码 401,“未找到 JWT 令牌”。 但我没有,我看到了用户和他们的数据。
【问题讨论】:
标签: symfony http api-platform.com lexikjwtauthbundle