security:
encoders:
# Our user class and the algorithm we'll use to encode passwords
# 'auto' means to let Symfony choose the best possible password hasher (Argon2 or Bcrypt)
# https://symfony.com/doc/current/security.html#c-encoding-passwords
App\Entity\User: 'auto'
providers:
# https://symfony.com/doc/current/security/user_provider.html
# In this example, users are stored via Doctrine in the database
# To see the users at src/App/DataFixtures/ORM/LoadFixtures.php
# To load users from somewhere else: https://symfony.com/doc/current/security/user_provider.html#creating-a-custom-user-provider
database_users:
entity: { class: App\Entity\User, property: username }
# https://symfony.com/doc/current/security.html#a-authentication-firewalls
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
# this firewall applies to all URLs
pattern: ^/
# but the firewall does not require login on every page
# denying access is done in access_control or in your controllers
anonymous: lazy
# This allows the user to login by submitting a username and password
# Reference: https://symfony.com/doc/current/security/form_login_setup.html
form_login:
# The route name that the login form submits to
check_path: security_login
# The name of the route where the login form lives
# When the user tries to access a protected page, they are redirected here
login_path: security_login
# Secure the login form against CSRF
# Reference: https://symfony.com/doc/current/security/csrf.html#csrf-protection-in-login-forms
csrf_token_generator: security.csrf.token_manager
# The page users are redirect to when there is no previous page stored in the
# session (for example when the users access directly to the login page).
default_target_path: blog_index
logout:
# The route name the user can go to in order to logout
path: security_logout
# The name of the route to redirect to after logging out
target: homepage
# Used to restrict access for large sections of your site
# Note: Only the *first* access control that matches will be used
access_control:
# this is a catch-all for the admin area
# additional security lives in the controllers
- { path: '^/(%app_locales%)/admin', roles: ROLE_ADMIN }
role_hierarchy:
ROLE_ADMIN: ROLE_USER
|