Skip to content

Development Security

Tip

See Permissions for information about the permissions system in Ibexa DXP.

Security checklist

See the Security checklist for a list of security-related issues you should take care of before going live with a project.

Symfony authentication

To use Symfony authentication with Ibexa DXP, use the following configuration (in config/packages/security.yaml):

1
2
3
4
5
6
7
8
9
security:
    firewalls:
        ezpublish_front:
            pattern: ^/
            user_checker: eZ\Publish\Core\MVC\Symfony\Security\UserChecker
            anonymous: ~
            form_login:
                require_previous_session: false
            logout: ~

And in config/routes.yaml:

1
2
3
4
5
6
7
login:
    path: /login
    defaults: { _controller: ezpublish.security.controller:loginAction }
login_check:
    path: /login_check
logout:
    path: /logout

Note

You can fully customize the routes and/or the controller used for login. However, remember to match login_path, check_path and logout.path from security.yaml.

See security configuration reference and standard login form documentation.

Authentication using Symfony Security component

Authentication is provided using the Symfony Security component.

Native and universal form_login is used, in conjunction with an extended DaoAuthenticationProvider (DAO stands for Data Access Object), the RepositoryAuthenticationProvider. Native behavior of DaoAuthenticationProvider has been preserved, making it possible to still use it for pure Symfony applications.

Security controller

A SecurityController is used to manage all security-related actions and is thus used to display the login form. It follows all standards explained in Symfony security documentation.

The base template used is EzPublishCore/Security/login.html.twig.

The layout used by default is %ezpublish.content_view.viewbase_layout% (empty layout) but can be configured together with the login template:

1
2
3
4
5
6
ezplatform:
    system:
        my_siteaccess:
            user:
                layout: layout.html.twig
                login_template: user/login.html.twig
Redirection after login

By default, Symfony redirects to the URI configured in security.yaml as default_target_path. If not set, it defaults to /.

Remember me

It is possible to use the "Remember me" functionality. Refer to the Symfony cookbook on this topic.

If you want to use this feature, you must at least extend the login template in order to add the required checkbox:

1
2
3
4
5
6
7
{% extends "@EzPublishCore/Security/login.html.twig" %}

{% block login_fields %}
    {{ parent() }}
    <input type="checkbox" id="remember_me" name="_remember_me" checked />
    <label for="remember_me">Keep me logged in</label>
{% endblock %}

Login handlers / SSO

Symfony provides native support for multiple user providers. This makes it easy to integrate any kind of login handlers, including SSO and existing third-party bundles (e.g. FR3DLdapBundle, HWIOauthBundle, FOSUserBundle, BeSimpleSsoAuthBundle, etc.).

See Authenticating a user with multiple user provider for more information.

JWT authentication

To use JWT authentication with eZ Platform, in the provided config/packages/lexik_jwt_authentication.yaml file, modify the existing configuration by setting authorization_header to enabled:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
lexik_jwt_authentication:
    secret_key: '%env(APP_SECRET)%'
    encoder:
        signature_algorithm: HS256
    # Disabled by default, because Page builder uses a custom extractor
    token_extractors:
        authorization_header:
            enabled: true
        cookie:
            enabled: false
        query_parameter:
            enabled: false

You also need a new Symfony firewall configuration for REST and/or GraphQL APIs. It is already provided in config/packages/security.yaml, you only need to uncomment it:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
security:
    firewalls:
        ezplatform_rest:
            request_matcher: EzSystems\EzPlatformAdminUi\REST\Security\NonAdminRESTRequestMatcher
            user_checker: eZ\Publish\Core\MVC\Symfony\Security\UserChecker
            anonymous: ~
            guard:
                authenticators:
                    - lexik_jwt_authentication.jwt_token_authenticator
                entry_point: lexik_jwt_authentication.jwt_token_authenticator
            stateless: true

        ezplatform_graphql:
            request_matcher: EzSystems\EzPlatformGraphQL\Security\NonAdminGraphQLRequestMatcher
            user_checker: eZ\Publish\Core\MVC\Symfony\Security\UserChecker
            anonymous: ~
            guard:
                authenticators:
                    - lexik_jwt_authentication.jwt_token_authenticator
                entry_point: lexik_jwt_authentication.jwt_token_authenticator
            stateless: true