Skip to content

Some cleanups for security.yaml #1395

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 4, 2025
Merged

Some cleanups for security.yaml #1395

merged 1 commit into from
Nov 4, 2025

Conversation

@ThomasLandauer
Copy link
Contributor

@ThomasLandauer ThomasLandauer commented Mar 23, 2025

Q A
License MIT
Doc issue/PR Sister-PR of symfony/symfony-docs#20794 (review)

As requested at #1392 (review)

@symfony-recipes-bot symfony-recipes-bot enabled auto-merge (squash) March 23, 2025 10:16
@github-actions
Copy link

github-actions bot commented Mar 23, 2025
edited
Loading

Thanks for the PR 😍

How to test these changes in your application

  1. Define the SYMFONY_ENDPOINT environment variable:

    # On Unix-like (BSD, Linux and macOS)
export SYMFONY_ENDPOINT=https://raw.githubusercontent.com/symfony/recipes/flex/pull-1395/index.json
# On Windows
SET SYMFONY_ENDPOINT=https://raw.githubusercontent.com/symfony/recipes/flex/pull-1395/index.json

  2. Install the package(s) related to this recipe:

    composer req symfony/flex
composer req 'symfony/security-bundle:^7.4'

  3. Don't forget to unset the SYMFONY_ENDPOINT environment variable when done:

    # On Unix-like (BSD, Linux and macOS)
unset SYMFONY_ENDPOINT
# On Windows
SET SYMFONY_ENDPOINT=

Diff between recipe versions

In order to help with the review stage, I'm in charge of computing the diff between the various versions of patched recipes.
I'm going keep this comment up to date with any updates of the attached patch.

symfony/security-bundle

3.3 vs 4.4 
diff --git a/symfony/security-bundle/3.3/config/packages/security.yaml b/symfony/security-bundle/4.4/config/packages/security.yaml
index f7ae4b78..811681e8 100644
--- a/symfony/security-bundle/3.3/config/packages/security.yaml
+++ b/symfony/security-bundle/4.4/config/packages/security.yaml
@@ -7,7 +7,7 @@ security:
             pattern: ^/(_(profiler|wdt)|css|images|js)/
             security: false
         main:
-            anonymous: true
+            anonymous: lazy
             provider: users_in_memory
 
             # activate different ways to authenticate
4.4 vs 5.1 
diff --git a/symfony/security-bundle/4.4/config/packages/security.yaml b/symfony/security-bundle/5.1/config/packages/security.yaml
index 811681e8..0e4cf3d1 100644
--- a/symfony/security-bundle/4.4/config/packages/security.yaml
+++ b/symfony/security-bundle/5.1/config/packages/security.yaml
@@ -7,7 +7,8 @@ security:
             pattern: ^/(_(profiler|wdt)|css|images|js)/
             security: false
         main:
-            anonymous: lazy
+            anonymous: true
+            lazy: true
             provider: users_in_memory
 
             # activate different ways to authenticate
5.1 vs 5.3 
diff --git a/symfony/security-bundle/5.1/config/packages/security.yaml b/symfony/security-bundle/5.3/config/packages/security.yaml
index 0e4cf3d1..789a9ac1 100644
--- a/symfony/security-bundle/5.1/config/packages/security.yaml
+++ b/symfony/security-bundle/5.3/config/packages/security.yaml
@@ -1,5 +1,9 @@
 security:
-    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
+    enable_authenticator_manager: true
+    # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
+    password_hashers:
+        Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
+    # https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
     providers:
         users_in_memory: { memory: null }
     firewalls:
@@ -7,12 +11,11 @@ security:
             pattern: ^/(_(profiler|wdt)|css|images|js)/
             security: false
         main:
-            anonymous: true
             lazy: true
             provider: users_in_memory
 
             # activate different ways to authenticate
-            # https://symfony.com/doc/current/security.html#firewalls-authentication
+            # https://symfony.com/doc/current/security.html#the-firewall
 
             # https://symfony.com/doc/current/security/impersonating_user.html
             # switch_user: true
@@ -22,3 +25,16 @@ security:
     access_control:
         # - { path: ^/admin, roles: ROLE_ADMIN }
         # - { path: ^/profile, roles: ROLE_USER }
+
+when@test:
+    security:
+        password_hashers:
+            # By default, password hashers are resource intensive and take time. This is
+            # important to generate secure password hashes. In tests however, secure hashes
+            # are not important, waste resources and increase test times. The following
+            # reduces the work factor to the lowest possible values.
+            Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface:
+                algorithm: auto
+                cost: 4 # Lowest possible value for bcrypt
+                time_cost: 3 # Lowest possible value for argon
+                memory_cost: 10 # Lowest possible value for argon
diff --git a/symfony/security-bundle/5.1/manifest.json b/symfony/security-bundle/5.3/manifest.json
index 5d8527e4..4a48e0cf 100644
--- a/symfony/security-bundle/5.1/manifest.json
+++ b/symfony/security-bundle/5.3/manifest.json
@@ -5,5 +5,8 @@
     "copy-from-recipe": {
         "config/": "%CONFIG_DIR%/"
     },
-    "aliases": ["security"]
+    "aliases": ["security"],
+    "conflict": {
+        "symfony/framework-bundle": "<5.3"
+    }
 }
5.3 vs 6.0 
diff --git a/symfony/security-bundle/5.3/config/packages/security.yaml b/symfony/security-bundle/6.0/config/packages/security.yaml
index 789a9ac1..367af25a 100644
--- a/symfony/security-bundle/5.3/config/packages/security.yaml
+++ b/symfony/security-bundle/6.0/config/packages/security.yaml
@@ -1,5 +1,4 @@
 security:
-    enable_authenticator_manager: true
     # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
     password_hashers:
         Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
6.0 vs 6.4 
diff --git a/symfony/security-bundle/6.4/config/routes/security.yaml b/symfony/security-bundle/6.4/config/routes/security.yaml
new file mode 100644
index 00000000..f853be15
--- /dev/null
+++ b/symfony/security-bundle/6.4/config/routes/security.yaml
@@ -0,0 +1,3 @@
+_security_logout:
+    resource: security.route_loader.logout
+    type: service
6.4 vs 7.4 
diff --git a/symfony/security-bundle/6.4/config/packages/security.yaml b/symfony/security-bundle/7.4/config/packages/security.yaml
index 367af25a..eee5ac9b 100644
--- a/symfony/security-bundle/6.4/config/packages/security.yaml
+++ b/symfony/security-bundle/7.4/config/packages/security.yaml
@@ -2,25 +2,26 @@ security:
     # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
     password_hashers:
         Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
+
     # https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
     providers:
         users_in_memory: { memory: null }
-    firewalls:
+
         dev:
-            pattern: ^/(_(profiler|wdt)|css|images|js)/
+            # Ensure dev tools and static assets are always allowed
+            pattern: ^/(_profiler|_wdt|assets|build)/
             security: false
         main:
             lazy: true
             provider: users_in_memory
 
-            # activate different ways to authenticate
+            # Activate different ways to authenticate:
             # https://symfony.com/doc/current/security.html#the-firewall
 
             # https://symfony.com/doc/current/security/impersonating_user.html
             # switch_user: true
 
-    # Easy way to control access for large sections of your site
-    # Note: Only the *first* access control that matches will be used
+    # Note: Only the *first* matching rule is applied
     access_control:
         # - { path: ^/admin, roles: ROLE_ADMIN }
         # - { path: ^/profile, roles: ROLE_USER }
@@ -28,10 +29,8 @@ security:
 when@test:
     security:
         password_hashers:
-            # By default, password hashers are resource intensive and take time. This is
-            # important to generate secure password hashes. In tests however, secure hashes
-            # are not important, waste resources and increase test times. The following
-            # reduces the work factor to the lowest possible values.
+            # Password hashers are resource-intensive by design to ensure security.
+            # In tests, it's safe to reduce their cost to improve performance.            
             Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface:
                 algorithm: auto
                 cost: 4 # Lowest possible value for bcrypt

This was referenced Mar 23, 2025
Open
Closed
auto-merge was automatically disabled March 23, 2025 10:22

Head branch was pushed to by a user without write access

@symfony-recipes-bot symfony-recipes-bot enabled auto-merge (squash) March 23, 2025 10:23
mtarld
mtarld reviewed Mar 23, 2025
View reviewed changes
@stof
Copy link
Member

stof commented Apr 14, 2025

@ThomasLandauer could you fix this PR ? We definitely want our dev firewall to use a pattern anchored at the beginning, to avoid risking matching URLs of the project that might contain assets or build somewhere else in the URL (which would disable security check for them).

auto-merge was automatically disabled April 14, 2025 11:37

Head branch was pushed to by a user without write access

@symfony-recipes-bot symfony-recipes-bot enabled auto-merge (squash) April 14, 2025 11:38
auto-merge was automatically disabled April 14, 2025 11:40

Head branch was pushed to by a user without write access

@symfony-recipes-bot symfony-recipes-bot enabled auto-merge (squash) April 14, 2025 11:40
@ThomasLandauer
Copy link
Contributor Author

ThomasLandauer commented Apr 14, 2025

Sure, I just dropped in the two comments :-)

javiereguiluz
javiereguiluz reviewed May 28, 2025
View reviewed changes
auto-merge was automatically disabled May 28, 2025 14:25

Head branch was pushed to by a user without write access

@symfony-recipes-bot symfony-recipes-bot enabled auto-merge (squash) May 28, 2025 14:26
auto-merge was automatically disabled May 28, 2025 14:30

Head branch was pushed to by a user without write access

@symfony-recipes-bot symfony-recipes-bot enabled auto-merge (squash) May 28, 2025 14:30
@ThomasLandauer
Copy link
Contributor Author

ThomasLandauer commented May 28, 2025
edited
Loading

I added some punctuation too. Looks like there are no clear rules (throughout the docs) for comments; but I think omitting any punctuation (which is what most comments do) makes them harder to read.

smnandre
smnandre reviewed Jun 8, 2025
View reviewed changes
symfony/security-bundle/7.3/config/packages/security.yaml
dev:
# 'assets/' is for AssetMapper, 'build/' for Webpack Encore.
# (Note: no regex delimiters needed; Symfony adds `{}` automatically.)
pattern: ^/(_profiler|_wdt|assets|build)/
Copy link
Member

@smnandre smnandre Jun 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the problem this addition solves ?

As neither webpack nor assetmapper have problems with the firewall today, as far as i know

Copy link
Member

@stof stof Jun 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in dev, AssetMapper loads the file through the kernel, with a listener resolving them. You don't want the assets to be registered as the "last URL being accessed" under the firewall, saved in the session for the redirection after authentication.
Adding it for Webpack Encore is a safety measure avoiding the same kind of issue in case of a 404 on the built asset (for instance due to versioning), even though non-404 responses for Encore should be managed by the webserver directly (same applies for AssetMapper in production mode btw)

@nicolas-grekas
Copy link
Member

nicolas-grekas commented Nov 4, 2025

@ThomasLandauer can you please target v 7.4?

nicolas-grekas
nicolas-grekas reviewed Nov 4, 2025
View reviewed changes
Copy link
Member

@nicolas-grekas nicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here is minor stuff, LGTM once 7.4 becomes the target

auto-merge was automatically disabled November 4, 2025 08:56

Head branch was pushed to by a user without write access

@symfony-recipes-bot symfony-recipes-bot enabled auto-merge (squash) November 4, 2025 08:56
auto-merge was automatically disabled November 4, 2025 09:17

Head branch was pushed to by a user without write access

@symfony-recipes-bot symfony-recipes-bot enabled auto-merge (squash) November 4, 2025 09:18
@ThomasLandauer
Copy link
Contributor Author

ThomasLandauer commented Nov 4, 2025

I now created a directory 7.4 (is this what you meant?) - but I think I messed it up...

@nicolas-grekas
Copy link
Member

nicolas-grekas commented Nov 4, 2025
edited
Loading

You now need to revert the 7.3 folder. Everything should be in 7.4

auto-merge was automatically disabled November 4, 2025 10:57

Head branch was pushed to by a user without write access

@symfony-recipes-bot symfony-recipes-bot enabled auto-merge (squash) November 4, 2025 10:57
auto-merge was automatically disabled November 4, 2025 11:00

Head branch was pushed to by a user without write access

@symfony-recipes-bot symfony-recipes-bot enabled auto-merge (squash) November 4, 2025 11:00
@ThomasLandauer
Copy link
Contributor Author

ThomasLandauer commented Nov 4, 2025

Yeah, I think it worked :-)

@nicolas-grekas nicolas-grekas changed the title Update security.yaml: Simplifying regex (#2) Some cleanups for security.yaml Nov 4, 2025
nicolas-grekas
nicolas-grekas approved these changes Nov 4, 2025
View reviewed changes
Copy link
Member

@nicolas-grekas nicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks

@symfony-recipes-bot symfony-recipes-bot merged commit 15a50fe into symfony:main Nov 4, 2025
1 of 2 checks passed
@ThomasLandauer ThomasLandauer deleted the simplifying-regex branch November 4, 2025 11:30
@AirBair AirBair mentioned this pull request Nov 4, 2025
Merged
ThomasLandauer added a commit to ThomasLandauer/symfony-docs that referenced this pull request Nov 4, 2025
@ThomasLandauer
[Security]: Updating for new recipe
a7c4193 
Page: https://symfony.com/doc/7.4/security.html

* I changed the regex to match the new recipe after symfony/recipes#1395
* I added the longer explanatory comment, as suggested at symfony/recipes#1395 (comment)
@ThomasLandauer ThomasLandauer mentioned this pull request Nov 4, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@javiereguiluz javiereguiluz javiereguiluz left review comments

@stof stof stof left review comments

@wouterj wouterj wouterj left review comments

@xabbuh xabbuh xabbuh left review comments

@mtarld mtarld mtarld left review comments

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@Spomky Spomky Spomky approved these changes

+1 more reviewer

@smnandre smnandre smnandre left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

10 participants

@ThomasLandauer @stof @nicolas-grekas @javiereguiluz @wouterj @Spomky @smnandre @xabbuh @mtarld @symfony-recipes-bot