Skip to content

[Security] Simplifying the DEV firewall's pattern#20794

Open
ThomasLandauer wants to merge 4 commits intosymfony:6.4from
ThomasLandauer:patch-17
Open

[Security] Simplifying the DEV firewall's pattern#20794
ThomasLandauer wants to merge 4 commits intosymfony:6.4from
ThomasLandauer:patch-17

Conversation

@ThomasLandauer
Copy link
Contributor

@ThomasLandauer ThomasLandauer commented Mar 21, 2025
edited
Loading

Page: https://symfony.com/doc/6.4/security.html#the-firewall

Reasons:

Question:
Shouldn't this dev firewall be loaded in DEV environment only? (i.e. under something like when@dev)

@ThomasLandauer
[Security]: Simplifying the DEV firewall's pattern
a2f1288 
Page: https://symfony.com/doc/6.4/security.html#the-firewall

Reasons:
* The inner parentheses `_(profiler|wdt)` are overly complicated
* AssetMapper recommends to have all assets under `/asset/`: https://symfony.com/doc/6.4/frontend/asset_mapper.html
@carsonbot carsonbot added this to the 6.4 milestone Mar 21, 2025
@carsonbot carsonbot changed the title [Security]: Simplifying the DEV firewall's pattern [Security] : Simplifying the DEV firewall's pattern Mar 21, 2025
xabbuh
xabbuh reviewed Mar 22, 2025
View reviewed changes
security.rst Outdated
# request will be handled by the first firewall whose pattern matches
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
pattern: ^/(_profiler|_wdt|assets)/
Copy link
Member

@xabbuh xabbuh Mar 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIRC we have it this way to be in line with the recipe: https://github.com/symfony/recipes/blob/main/symfony/security-bundle/6.4/config/packages/security.yaml#L10

Copy link
Contributor Author

@ThomasLandauer ThomasLandauer Mar 22, 2025
edited by javiereguiluz
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, then let's change it there too :-) symfony/recipes#1395

@xabbuh
Copy link
Member

xabbuh commented Mar 22, 2025

Question:
Shouldn't this dev firewall be loaded in DEV environment only? (i.e. under something like when@dev)

The security config is not merged between environments. So you would have to repeat everything for the dev environment.

@OskarStark OskarStark changed the title [Security] : Simplifying the DEV firewall's pattern [Security] Simplifying the DEV firewall's pattern Mar 22, 2025
@ThomasLandauer ThomasLandauer mentioned this pull request Mar 22, 2025
Closed
@ThomasLandauer
Copy link
Contributor Author

ThomasLandauer commented Mar 22, 2025

Is this true for all parts of the config?
Cause at https://symfony.com/doc/current/security/passwords.html#configuring-a-password-hasher (green box) it's recommended to reconfigure the password hasher in config/packages/test/security.php, and I did this in config/packages/security.php like this:

if ('test' === $containerConfigurator->env()) {
    // ...
}

@wouterj
Copy link
Member

wouterj commented Mar 22, 2025
edited
Loading

Is this true for all parts of the config?

Not to all parts, and some parts behave differently. We don't merge configuration from security.role_hierarchy and security.password_hashers, and we don't allow new items in security.firewalls (i.e. you may change options of the firewalls, but you can't add new firewalls).

About this PR, I think it makes sense, but let's wait for the recipe to be accepted as the documentation have to be in sync with the generated recipes.

@wouterj wouterj modified the milestones: 6.4, 7.3 Mar 22, 2025
@wouterj wouterj added the Waiting Code Merge Docs for features pending to be merged label Mar 22, 2025
@carsonbot carsonbot modified the milestones: 7.3, next Mar 22, 2025
@ThomasLandauer ThomasLandauer mentioned this pull request Mar 23, 2025
Merged
xabbuh
xabbuh reviewed Mar 24, 2025
View reviewed changes
security.rst
# request will be handled by the first firewall whose pattern matches
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
pattern: ^/_profiler|_wdt|assets|build/ # `assets` is for AssetMapper; `build` is for Webpack Encore
Copy link
Member

@xabbuh xabbuh Mar 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
pattern: ^/_profiler|_wdt|assets|build/ # `assets` is for AssetMapper; `build` is for Webpack Encore
pattern: ^/(_profiler|_wdt|assets|build)/ # `assets` is for AssetMapper; `build` is for Webpack Encore

xabbuh
xabbuh reviewed Mar 24, 2025
View reviewed changes
security.rst
<firewall name="dev"
pattern="^/(_(profiler|wdt)|css|images|js)/"
security="false"/>
pattern="^/_profiler|_wdt|assets|build/"
Copy link
Member

@xabbuh xabbuh Mar 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
pattern="^/_profiler|_wdt|assets|build/"
pattern="^/(_profiler|_wdt|assets|build)/"

xabbuh
xabbuh reviewed Mar 24, 2025
View reviewed changes
@smnandre
Copy link
Member

smnandre commented Jun 8, 2025

What is the problem this PR solves ? I mean, is there any real life problem with AssetMapper or Webpack ?

(even if for the first I seriously doubt it, as the dev server priority is greater than security listeners in dev and ... it does not work in prod)

@ThomasLandauer @xabbuh
Update security.rst
94c36b6 
Co-authored-by: Christian Flothmann <christian.flothmann@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xabbuh xabbuh xabbuh left review comments

Assignees

No one assigned

Labels

Security Status: Needs Review Waiting Code Merge Docs for features pending to be merged

Projects

None yet

Milestone

next

Development

Successfully merging this pull request may close these issues.

5 participants

@ThomasLandauer @xabbuh @wouterj @smnandre @carsonbot