On 24.04.2011, at 05:21, ryan weaver wrote: > Hey guys! > > I'm diving into the security component in a big way to write its docs. I > think the security component is going to be a fantastic feature, but I also > realize that there are some common pain points. Of course, updated > documentation is going to go a long way, but I'm hoping we can also address > things with better exception messages. Here are a few pain-points I created > just by tweaking the standard-distribution security.yml: > > * If the login page (e.g. /login) is in a secured area (i.e. behind a > firewall), you just get a redirect loop. Can we notify the user somehow? > > * Obviously, the actual login/logout URLs used by the security component are > independent from the routing. This means you may just get redirected to a 404 > for login. I realize we're decoupled, but can we do better? > > * The URL for your check_path must be a URL managed by the firewall. If you > create the route correctly, but forget to match the "check_path" option to > that URL, you'll hit a "gotcha". Specifically, the login form will submit, > but then get caught by the firewall and redirected back to the login form. > The user just sees the login page over and over again, but without any form > errors. Again, this is difficult, but perhaps we can identify *something* > that tells us this is happening so we can notify the user.
I think we just need to do a lot more work inside the SecurityExtension to sanity check all the settings or probably a compiler pass. For example inside a compiler pass we could use the route resolver to check if the url's do not point to a 404. As for the redirect loop, not sure we can do much about that, except if we enable anonymous access by default (aka requiring to disable it). regards, Lukas Kahwe Smith [email protected] -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
