Description
I have tried on:
- OS X
- Symfony 3.1 and 2.7
- PHP 5.5.36
The problem:
Attempting to deny access via IP or host through @Security or checking $request inside the controller, or access_control in security.yml produces the same error:
Full authentication is required to access this resource.
500 Internal Server Error - InsufficientAuthenticationException
1 linked Exception:
AccessDeniedException »
The error log:
DEBUG - Access denied, the user is not fully authenticated; redirecting to authentication entry point.
CRITICAL - Uncaught PHP Exception Symfony\Component\Security\Core\Exception\InsufficientAuthenticationException: "Full authentication is required to access this resource." at /path]/tmp-security/vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php line 128
The same error is thrown on 3.1, which I'm developing my real project on. I don't want the user to be fully authenticated, I want a simple IP address check.
I have followed:
security:
# ...
access_control:
-
path: ^/_internal/secure
allow_if: "'127.0.0.1' == request.getClientIp() or has_role('ROLE_ADMIN')"
from: http://symfony.com/doc/current/security/access_control.html
I have also tried:
class DefaultController extends Controller
{
/**
* @Route("/", name="homepage")
*/
public function indexAction(Request $request)
{
if($request->getClientIp() == '127.0.0.1')
{
throw $this->createAccessDeniedException('IP-based rule.');
}
// replace this example code with whatever you need
return $this->render('default/index.html.twig', array(
'base_dir' => realpath($this->container->getParameter('kernel.root_dir').'/..').DIRECTORY_SEPARATOR,
));
}
}
To the same, peculiar effect for both methods. The documentation describes it as I am expecting it to work:
In this case, when the user tries to access any URL starting with /_internal/secure, they will only be granted access if the IP address is 127.0.0.1 or if the user has the ROLE_ADMIN role.
But that's not how it is behaving.