SiteSupra does not provide any kind of authentication for user part of CMS; it only provides authentication and user
management layer for CMS part, decoupled in separate
SupraPackageCmsAuthentication (more on standard packages in
corresponding section). So, the documentation below applies only to CMS part, but you can
always add authentication to your website following this cookbook article.
SiteSupra security layer is based on Symfony security component.
Security Concepts and Configuration¶
Security is blindly bound to
cms.prefix container parameter and secures all URLs beginning that.
URL mapping happens in
When visitor is not authorized yet, then the visitor is being redirected to CMS login page.
We are likely to extend security layer to both backend and frontend - stay tuned!
The second listener,
CmsAuthenticationResponseListener, ensures that current
Token is stored in user session
under the key defined by
AuthController::TOKEN_CHANGE_EVENT every time a new token is stored in the session.
Voters and ACL’s are enabled, but not used yet.
Default security configuration is stored in
Apart from paths and services, it defines a shared user source (explained below), sets up user providers (bound to
CmsAuthentication:User entity), both combined into provider chain, and sets
SupraBlowfishEncoder as a default
SiteSupra provides some basic user management commands (for adding and removing backend user groups) allowing you to manage users event if the database is empty. refer to Command Line Interface for more details.
User Source and User Provider¶
By default SiteSupra uses
Supra\Package\CmsAuthentication\Entity\User as base user entity and corresponding repository
(which already implements
Symfony\Component\Security\Core\User\UserProviderInterface) as a user source. Again, by
default it is bound to current connection (please refer to Database (Doctrine 2) and EntityAudit if you want to learn more on SiteSupra