Edit on GitHub

Security and Authentication

You can make full use of the Symfony Security Component to handle complex authentication/authorization scenarios. However, as the Pimcore administration interface and the REST API already use the security component for its puropses, a couple of prerequisites and differences to a standard Symfony application need to be considered. As starting point, please have a look at the security.yml defined in the CoreBundle to get an idea what Pimcore already defines.

Merged security configurations

A standard Symfony application requires the security configuration to be defined in one single file. In contrast to that, Pimcore allows to merge security configurations together from multiple locations. This allows bundles (e.g. a bundle defining its own routes), to define custom security configurations for its routes which are then merged into the global security configuration. This setup was mainly choosen to make sure the Pimcore admin security configuration is always loaded and can be extended by the application specific configuration which is defined by bundles and your application logic. Security configurations will always be loaded in the following order (this also applies to firewalls and access_control to make sure the admin interface is always matched first):

  • admin
  • any security configuration which was auto-loaded from bundle configs (see auto loading config files)
  • app/config/security.yml if imported from your main app/config/config.yml

Those configurations will be merged together, i.e. if a bundle defines a firewall or an access_control entry, this entry will always be loaded and matched after the admin configuration. To get an idea of the merged security configuration you can use the debug:config security CLI command:

$ bin/console debug:config security

Current configuration for extension with alias "security"
=========================================================

security:
    providers:
        pimcore_admin:
            id: Pimcore\Bundle\AdminBundle\Security\User\UserProvider
        demo_cms_provider:
            memory:
                users:
                    john:
                        password: doe
                        roles:
                            - ROLE_USER
                    jane:
                        password: doe
                        roles:
                            - ROLE_ADMIN
    firewalls:
        ...

As result of this merging logic, please consider the following caveats:

  • always specify the provider entry for your firewall as otherwise the pimcore_admin provider will be used which is probably not what you want
  • you can use a pattern of ^/ for both firewall and access_control but keep in mind that the admin firewall and the access_control entries defined by the admin security will match first

Login example

The Demo CMS profile provides a simple login example using a User Pimcore object and a form_login authenticator which allows a site-wide login with public and secured areas:

A simplified guide to this setup is illustrated in Authenticate against Pimcore Objects.

For more complex examples, custom user providers and a full configuration reference please read the Symfony Security Component documentation.