I hope that it will be clear. I have a very old application that was upgraded to SF4.4 some time ago and all time is maintained and developed. Unfortunately has a lot of old code. I have to create a firewall that will be supported an old authenticator solution (form_login) and a new one - LexikJWTAuthenticationBundle at the same time. It means that users can get access pages when they have a session or JWT token in headers.
I had this configuration and it works fine:
main:
pattern: '^/'
anonymous: ~
logout_on_user_change: true
form_login:
provider: main
##
remember_me:
##
logout:
##
guard:
provider: main
authenticators:
- lexik_jwt_authentication.jwt_token_authenticator
This solution supported the session and JWT token for all endpoints/pages. But unfortunately, I found in /^ places where is used Authorization: Bearer <token> and JWTTokenAuthenticator create some problems and complicate everything. The next thing - it could be dangerous.
So I had to create this solution:
react-api:
pattern: '^/react-api'
anonymous: ~
guard:
provider: main
authenticators:
- lexik_jwt_authentication.jwt_token_authenticator
main:
pattern: '^/'
anonymous: ~
logout_on_user_change: true
form_login:
provider: main
#
remember_me:
#
logout:
##
In the current solution for /react-api - I can't authorize via session. Of course, the pattern blocks it. I think it can resolve the problem when I added the default authenticator before/after lexik_jwt_authentication.jwt_token_authenticator which will support the session. Does Symfony have something? Or is another solution?
I found the solution. Symfony docs: https://symfony.com/doc/current/reference/configuration/security.html#firewall-context
I have to change the context for the first firewall:
react-api:
pattern: '^/react-api'
anonymous: ~
context: main
guard:
provider: main
authenticators:
- lexik_jwt_authentication.jwt_token_authenticator
main:
pattern: '^/'
anonymous: ~