Conversation

ThomasLandauer

Page: https://symfony.com/doc/6.4/security.html#the-firewall

Reasons:

Question:
Shouldn't this dev firewall be loaded in DEV environment only? (i.e. under something like when@dev)

@ThomasLandauer
[Security]: Simplifying the DEV firewall's pattern
a2f1288
Page: https://symfony.com/doc/6.4/security.html#the-firewall

Reasons:
* The inner parentheses `_(profiler|wdt)` are overly complicated
* AssetMapper recommends to have all assets under `/asset/`: https://symfony.com/doc/6.4/frontend/asset_mapper.html
@carsonbotcarsonbot added this to the 6.4 milestone Mar 21, 2025
@carsonbotcarsonbot changed the title [Security]: Simplifying the DEV firewall's pattern [Security] : Simplifying the DEV firewall's pattern Mar 21, 2025
xabbuh
xabbuh reviewed Mar 22, 2025
View reviewed changes
security.rst Outdated
@@ -497,7 +497,7 @@ will be able to authenticate (e.g. login form, API token, etc).
# the order in which firewalls are defined is very important, as the
# request will be handled by the first firewall whose pattern matches
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
pattern: ^/(_profiler|_wdt|assets)/
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIRC we have it this way to be in line with the recipe: https://.com/symfony/recipes/blob/main/symfony/security-bundle/6.4/config/packages/security.yaml#L10

Copy link
Contributor Author

@ThomasLandauer ThomasLandauer Mar 22, 2025
edited by javiereguiluz
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, then let's change it there too :-) symfony/recipes#1395

@xabbuh

Question:
Shouldn't this dev firewall be loaded in DEV environment only? (i.e. under something like when@dev)

The security config is not merged between environments. So you would have to repeat everything for the dev environment.

@OskarStarkOskarStark changed the title [Security] : Simplifying the DEV firewall's pattern [Security] Simplifying the DEV firewall's pattern Mar 22, 2025
ThomasLandauer added a commit to ThomasLandauer/recipes that referenced this pull request Mar 22, 2025
@ThomasLandauer
Update security.yaml: Simplifying regex
65c9dc3
Sister-PR of symfony/symfony-docs#20794 (review)
@ThomasLandauerThomasLandauer mentioned this pull request Mar 22, 2025
Closed
@ThomasLandauer

Is this true for all parts of the config?
Cause at https://symfony.com/doc/current/security/passwords.html#configuring-a-password-hasher (green box) it's recommended to reconfigure the password hasher in config/packages/test/security.php, and I did this in config/packages/security.php like this:

if ('test' === $containerConfigurator->env()) {
    // ...
}

@wouterj

Is this true for all parts of the config?

Not to all parts, and some parts behave differently. We don't merge configuration from security.role_hierarchy and security.password_hashers, and we don't allow new items in security.firewalls (i.e. you may change options of the firewalls, but you can't add new firewalls).

About this PR, I think it makes sense, but let's wait for the recipe to be accepted as the documentation have to be in sync with the generated recipes.

@wouterjwouterj modified the milestones: 6.4, 7.3 Mar 22, 2025
@wouterjwouterj added the Waiting Code MergeDocs for features pending to be mergedlabel Mar 22, 2025
@carsonbotcarsonbot modified the milestones: 7.3, next Mar 22, 2025
@ThomasLandauerThomasLandauer mentioned this pull request Mar 23, 2025
Open
xabbuh
xabbuh reviewed Mar 24, 2025
View reviewed changes
security.rst
@@ -497,7 +497,7 @@ will be able to authenticate (e.g. login form, API token, etc).
# the order in which firewalls are defined is very important, as the
# request will be handled by the first firewall whose pattern matches
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
pattern: ^/_profiler|_wdt|assets|build/ # `assets` is for AssetMapper; `build` is for Webpack Encore
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
pattern: ^/_profiler|_wdt|assets|build/ # `assets` is for AssetMapper; `build` is for Webpack Encore
pattern: ^/(_profiler|_wdt|assets|build)/ # `assets` is for AssetMapper; `build` is for Webpack Encore

xabbuh
xabbuh reviewed Mar 24, 2025
View reviewed changes
security.rst
@@ -529,8 +529,8 @@ will be able to authenticate (e.g. login form, API token, etc).
<!-- the order in which firewalls are defined is very important, as the
request will be handled by the first firewall whose pattern matches -->
<firewall name="dev"
pattern="^/(_(profiler|wdt)|css|images|js)/"
security="false"/>
pattern="^/_profiler|_wdt|assets|build/"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
pattern="^/_profiler|_wdt|assets|build/"
pattern="^/(_profiler|_wdt|assets|build)/"

xabbuh
xabbuh reviewed Mar 24, 2025
View reviewed changes
@smnandre

What is the problem this PR solves ? I mean, is there any real life problem with AssetMapper or Webpack ?

(even if for the first I seriously doubt it, as the dev server priority is greater than security listeners in dev and ... it does not work in prod)

@ThomasLandauer @xabbuh
Update security.rst
94c36b6
Co-authored-by: Christian Flothmann <[email protected]>
Sign up for free to join this conversation on . Already have an account? Sign in to comment

@xabbuh xabbuh xabbuh left review comments

No one assigned
Security Status: Needs Review Waiting Code MergeDocs for features pending to be merged
None yet
next

Successfully merging this pull request may close these issues.