Hi man,
good work with this bundle. I cloned and try the sandbox: https://github.com/slashfan/LexikJWTAuthenticationBundleSandbox
but i don't understand why if i change access control setting:
access_control:
- { path: ^/api/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/pages, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api, roles: IS_AUTHENTICATED_FULLY }
and i go to http://localhost:8000/angular-demo/index.html
I continue to see the authentication request.
P.S. in PageController.php (getPagesAction function) i comment these lines:
if (!$this->get('security.context')->isGranted('ROLE_USER')) {
throw new AccessDeniedException();
}
Thanks
Hi,
Have you tried adding anonymous: true to the api firewall configuration ? Like this :
api:
pattern: ^/api
stateless: true
anonymous: true
lexik_jwt:
# ... rest of your config
It worked for me in the sandbox.
Well work!
However if i add another controller without it putting in access_control, so it have the routes protected.
If i call this controller with angular i receive 403 and not 401, and so i don't show modal login.
I receive 403 also without check isGranted('ROLE_USER') in action. Instead I should receive 401 (imho)
In a nutshell, what I would do, is to have some public action and some protected action.
If i logged as ROLE_USER it's right receive a 403 if i call an action with check isGranted('ROLE_ADMIN'), but in all other cases I should always receive 401.
It's bad?
Thanks
Hi,
Sorry I didn't really understand. But I think the problem you have is more related to your app and its security design than this bundle.
The bundle only returns a 401 if it finds a json web token in the request and cannot match it against a user. Everything else is handled by symfony and your own config / logic.
Thank you for your response.
Sorry if I can not explain.
So you say that if I add a new controller to the sandbox is normal that I get 403 instead 401?
You should read this : 401 is for authentication (which the job of this bundle) and 403 is for authorization (which is handled by symfony roles, security voters and access control) either through the access_control in your security configuration or directly from your controllers, in the @secure annotation or the calls to the isGranted() method.
Maybe you should try to make your app security system work with a standard form login, and when everything works fine then switch to JWT. But first make sure your roles, permissions and access control are properly set.
Ok! Now it's all clear!
Thank you so much Nicolas!
Most helpful comment
Hi,
Have you tried adding
anonymous: trueto theapifirewall configuration ? Like this :It worked for me in the sandbox.