symfony - Symfony2 http_basic security rejects valid credentials

Question

I use Symfony Standard 2.0.0BETA1 and tried to configure http_basic authentication exactly the same as in this book chapter

security:
encoders:
    SymfonyComponentSecurityCoreUserUser: plaintext

providers:
    main:
        users:
            foo: { password: testing, roles: ROLE_USER }

firewalls:
    main:
        pattern:    /.*
        http_basic: true
        logout:     true

access_control:
    - { path: /.*, role: ROLE_USER }

Problem is when I try to open a page and i submit user name "foo" and password "testing" it simply loops and ask me for credential infinitely or display error page.

Steps to reproduce issue:

1. Copy security configuration from http://symfony.com/doc/current/book/security/overview.html#configuration and past it to security.yml file
2. Refresh app home page
3. Enter valid credentials

Expected behavior is to see home page but instead credentials prompt is shown.

Does anyone know why that happens and how to fix it?

Answer 1

The problem is you restricted access to /.*, which means all paths, to only users who have the role ROLE_USER.

Say your login path is /login, the user tries to access any other path and is redirected to the login path. The login path (/login) will be matched by the access control pattern /.*. The user will then be denied of access because he doesn't have the role ROLE_USER right now. The security component will redirect the user again to the login form so he can authenticate to get the role, which is restricted, and will redirect the user to the login form to authenticate and so on.

Here's a simple solution to avoid this problem. You can allow access to the login form to anonymous user with the activation of the anonymous user configuration and a new access control item. Add this below main in the firewalls configuration to enable anonymous user:

security:
    firewalls:
        main:
            anonymous: true

And add a new access control item to allow anonymous user to acces the /login pattern:

access_control:
    - { path: /login, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: /.*, role: ROLE_USER }

The order is important here since the rule is: first path matched wins. So the /login path must be above your pattern for other path /.*. This should resolves you redirect loop.

The documentation of Symfony about security is being rewritten right now and will talk more in details about this problem. It is in the symfony-docs github repository under the security branch.

Regards, Matt