Security¶
SiteSupra does not provide any kind of authentication for user part of CMS; it only provides authentication and user
management layer for CMS part, decoupled in separate SupraPackageCmsAuthentication
(more on standard packages in
corresponding section). So, the documentation below applies only to CMS part, but you can
always add authentication to your website following this cookbook article.
SiteSupra security layer is based on Symfony security component.
Security Concepts and Configuration¶
Security is blindly bound to cms.prefix
container parameter and secures all URLs beginning that.
URL mapping happens in CmsAuthenticationRequestListener
.
When visitor is not authorized yet, then the visitor is being redirected to CMS login page.
Note
We are likely to extend security layer to both backend and frontend - stay tuned!
The second listener, CmsAuthenticationResponseListener
, ensures that current Token
is stored in user session
under the key defined by cms_authentication.session.storage_key
parameter.
SiteSupra dispatches AuthController::TOKEN_CHANGE_EVENT
every time a new token is stored in the session.
Voters and ACL’s are enabled, but not used yet.
Default security configuration is stored in Supra\Package\CmsAuthentication\Resources\config\config.yml
.
Apart from paths and services, it defines a shared user source (explained below), sets up user providers (bound to
CmsAuthentication:User
entity), both combined into provider chain, and sets SupraBlowfishEncoder
as a default
password encoder.
CLI Commands¶
SiteSupra provides some basic user management commands (for adding and removing backend user groups) allowing you to manage users event if the database is empty. refer to Command Line Interface for more details.
User Source and User Provider¶
By default SiteSupra uses Supra\Package\CmsAuthentication\Entity\User
as base user entity and corresponding repository
(which already implements Symfony\Component\Security\Core\User\UserProviderInterface
) as a user source. Again, by
default it is bound to current connection (please refer to Database (Doctrine 2) and EntityAudit if you want to learn more on SiteSupra
database layer).