.. index:: single: Security; Configuration reference
The security system is one of the most powerful parts of Symfony2, and can largely be controlled via its configuration.
The following is the full default configuration for the security system. Each part will be explained in the next section.
.. configuration-block::
.. code-block:: yaml
# app/config/security.yml
security:
access_denied_url: ~ # Example: /foo/error403
# strategy can be: none, migrate, invalidate
session_fixation_strategy: migrate
hide_user_not_found: true
always_authenticate_before_granting: false
erase_credentials: true
access_decision_manager:
strategy: affirmative
allow_if_all_abstain: false
allow_if_equal_granted_denied: true
acl:
# any name configured in doctrine.dbal section
connection: ~
cache:
id: ~
prefix: sf2_acl_
provider: ~
tables:
class: acl_classes
entry: acl_entries
object_identity: acl_object_identities
object_identity_ancestors: acl_object_identity_ancestors
security_identity: acl_security_identities
voter:
allow_if_object_identity_unavailable: true
encoders:
# Examples:
Acme\DemoBundle\Entity\User1: sha512
Acme\DemoBundle\Entity\User2:
algorithm: sha512
encode_as_base64: true
iterations: 5000
# Example options/values for what a custom encoder might look like
Acme\Your\Class\Name:
algorithm: ~
ignore_case: false
encode_as_base64: true
iterations: 5000
id: ~
providers: # Required
# Examples:
memory:
name: memory
users:
foo:
password: foo
roles: ROLE_USER
bar:
password: bar
roles: [ROLE_USER, ROLE_ADMIN]
entity:
entity:
class: SecurityBundle:User
property: username
# Example custom provider
some_custom_provider:
id: ~
chain:
providers: []
firewalls: # Required
# Examples:
somename:
pattern: .*
request_matcher: some.service.id
access_denied_url: /foo/error403
access_denied_handler: some.service.id
entry_point: some.service.id
provider: some_key_from_above
context: name
stateless: false
x509:
provider: some_key_from_above
http_basic:
provider: some_key_from_above
http_digest:
provider: some_key_from_above
form_login:
check_path: /login_check
login_path: /login
use_forward: false
always_use_default_target_path: false
default_target_path: /
target_path_parameter: _target_path
use_referer: false
failure_path: /foo
failure_forward: false
failure_handler: some.service.id
success_handler: some.service.id
username_parameter: _username
password_parameter: _password
csrf_parameter: _csrf_token
intention: authenticate
csrf_provider: my.csrf_provider.id
post_only: true
remember_me: false
remember_me:
token_provider: name
key: someS3cretKey
name: NameOfTheCookie
lifetime: 3600 # in seconds
path: /foo
domain: somedomain.foo
secure: false
httponly: true
always_remember_me: false
remember_me_parameter: _remember_me
logout:
path: /logout
target: /
invalidate_session: false
delete_cookies:
a: { path: null, domain: null }
b: { path: null, domain: null }
handlers: [some.service.id, another.service.id]
success_handler: some.service.id
anonymous: ~
# Default values and options for any firewall
some_firewall_listener:
pattern: ~
security: true
request_matcher: ~
access_denied_url: ~
access_denied_handler: ~
entry_point: ~
provider: ~
stateless: false
context: ~
logout:
csrf_parameter: _csrf_token
csrf_provider: ~
intention: logout
path: /logout
target: /
success_handler: ~
invalidate_session: true
delete_cookies:
# Prototype
name:
path: ~
domain: ~
handlers: []
anonymous:
key: 4f954a0667e01
switch_user:
provider: ~
parameter: _switch_user
role: ROLE_ALLOWED_TO_SWITCH
access_control:
requires_channel: ~
# use the urldecoded format
path: ~ # Example: ^/path to resource/
host: ~
ip: ~
methods: []
roles: []
role_hierarchy:
ROLE_ADMIN: [ROLE_ORGANIZER, ROLE_USER]
ROLE_SUPERADMIN: [ROLE_ADMIN]
When using the form_login authentication listener beneath a firewall,
there are several common options for configuring the "form login" experience:
login_path(type:string, default:/login) This is the URL that the user will be redirected to (unlessuse_forwardis set totrue) when he/she tries to access a protected resource but isn't fully authenticated.This URL must be accessible by a normal, un-authenticated user, else you may create a redirect loop. For details, see ":ref:`Avoid Common Pitfalls<book-security-common-pitfalls>`".
check_path(type:string, default:/login_check) This is the URL that your login form must submit to. The firewall will intercept any requests (POSTrequests only, by default) to this URL and process the submitted login credentials.Be sure that this URL is covered by your main firewall (i.e. don't create a separate firewall just for
check_pathURL).use_forward(type:Boolean, default:false) If you'd like the user to be forwarded to the login form instead of being redirected, set this option totrue.username_parameter(type:string, default:_username) This is the field name that you should give to the username field of your login form. When you submit the form tocheck_path, the security system will look for a POST parameter with this name.password_parameter(type:string, default:_password) This is the field name that you should give to the password field of your login form. When you submit the form tocheck_path, the security system will look for a POST parameter with this name.post_only(type:Boolean, default:true) By default, you must submit your login form to thecheck_pathURL as a POST request. By setting this option tofalse, you can send a GET request to thecheck_pathURL.
always_use_default_target_path(type:Boolean, default:false)default_target_path(type:string, default:/)target_path_parameter(type:string, default:_target_path)use_referer(type:Boolean, default:false)