Is there a specific reason you defined a separate firewall for "pattern: ^/login"? Firewall patterns match like routing rules, so I would assume that all requests to "^/login*" are getting picked up by the "login" firewall, which you have defined as only having the anonymous listener. In that case, the form listener would never intercept the "/login_check" request and it would defer to routing.
It might make more sense to use "anonymous: true" in your final firewall (for "pattern: ^/") and rely on access_control to let anonymous users access /login* routes. Additionally, if you need to debug and prove that your form listener isn't being called, you can trace the behavior in AbstractAuthenticationListener and/or UsernamePasswordFormAuthenticationListener, which are both under the Symfony\Component\Security\Http\Firewall namespace. Lastly: While not related to the solution, I would also suggest you add the controller action that renders the login form for the login_check routing rule. By default, the form listener only attempts authentication if /login_check is accessed via a POST. On the odd chance a user refreshes the page or directly copies the URL after a submitted login form, they might turn up an error. It should be perfectly safe to have both /login and /login_check bring up a login form on GET (or better yet, you have have GET /login_check redirect to /login). All possible with using _method requirements on the routing rules. On Tue, Apr 5, 2011 at 8:16 AM, Dennis Jacobfeuerborn < [email protected]> wrote: > > The security.yml is the same as the one I posted on the user list: > > security: > encoders: > Symfony\Component\Security\Core\User\User: > algorithm: sha1 > encode-as-base64: false > iterations: 1 > > role_hierarchy: > ROLE_ADMIN: ROLE_USER > ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH] > > providers: > in_memory: > users: > admin: { password: > 9af2785afcfdd303af47fa698c6000fb731a772d, roles: [ 'ROLE_ADMIN' ] } > > firewalls: > profiler: > pattern: ^/_profiler > security: false > > wdt: > pattern: ^/_wdt > security: false > > login: > pattern: ^/login > security: true > anonymous: true > > secured_area: > pattern: ^/ > form_login: > check_path: /login_check > login_path: /login > logout: > path: /logout > target: /login > #anonymous: ~ > #http_basic: > # realm: "Secured Demo Area" > > access_control: > - { path: /login, roles: IS_AUTHENTICATED_ANONYMOUSLY } > - { path: /.*, roles: ROLE_USER } > > -- jeremy mikola -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
