Skip to content

Commit ae214fb

Browse files
committed
Merge branch '6.4' into 7.0
* 6.4: Adding info about when the firewall needs to encompass all pages
2 parents e715e45 + 2cce577 commit ae214fb

File tree

1 file changed

+10
-1
lines changed

1 file changed

+10
-1
lines changed

security.rst

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -556,6 +556,8 @@ will be able to authenticate (e.g. login form, API token, etc).
556556
Only one firewall is active on each request: Symfony uses the ``pattern`` key
557557
to find the first match (you can also
558558
:doc:`match by host or other things </security/firewall_restriction>`).
559+
Here, all real URLs are handled by the ``main`` firewall (no ``pattern`` key means
560+
it matches *all* URLs).
559561

560562
The ``dev`` firewall is really a fake firewall: it makes sure that you
561563
don't accidentally block Symfony's dev tools - which live under URLs like
@@ -619,7 +621,14 @@ you'll see that you're visiting a page behind the firewall in the toolbar:
619621

620622
Visiting a URL under a firewall doesn't necessarily require you to be authenticated
621623
(e.g. the login form has to be accessible or some parts of your application
622-
are public). You'll learn how to restrict access to URLs, controllers or
624+
are public). On the other hand, all pages that you want to be *aware* of a logged in
625+
user have to be under the same firewall. So if you want to display a *"You are logged in
626+
as ..."* message on every page, they all have to be included in the same firewall.
627+
628+
The same firewall can have many modes of authentication. In other words, it
629+
enables many ways to ask the question *"Who are you?"*.
630+
631+
You'll learn how to restrict access to URLs, controllers or
623632
anything else within your firewall in the :ref:`access control
624633
<security-access-control>` section.
625634

0 commit comments

Comments
 (0)