It’s too flexible and has too many methods. Let’s write down one aspect for now:

There is a third-party user function package: FOSUserBundle

If you write it yourself, before using the login form, you need to tell the framework how user information is saved. If you use Doctrine and a database, you have to write a User Entity and implement the SymfonyComponentSecurityCoreUserUserInterface interface.

(1) Create user class

namespace Acme\UserBundle\Entity; use Symfony\Component\Security\Core\User\UserInterface; use Doctrine\ORM\Mapping as ORM; /** * @ORM\Entity */ class User implements UserInterface { /** * @ORM\Column(type="string", length=255) */ protected $username; // ... }

(2) Use this user class

# app/config/security.yml security: # ... providers: main: entity: { class: Acme\UserBundle\Entity\User, property: username } encoders: Acme\UserBundle\Entity\User: sha512 # 密码用哪种hash保存

(3) Add permission control

Security verification can be controlled at the URL level. If you let your bundle share a certain URL rule, you can use a rule to control it:

# app/config/security.yml security: # ... access_control: - { path: ^/some_url, roles: ROLE_USER } # role是用户需要具备的角色，登录成功默认会有ROLE_USER

You can also use the JMSSecurityExtraBundle that comes with Symfony 2, which can be configured with annotations:

use JMS\SecurityExtraBundle\Annotation\Secure; class MyController { /** * @Secure(roles="ROLE_USER") */ public function secureAction() { // ... } }

Symfony 2 has many security component configuration items, you can refer to: http://symfony.com/doc/current/refere...

Form verification (form_login), which is the most common login box form, is one of the verification methods supported by Symfony 2 security components by default. Others include X.509, HTTP Basic, HTTP Digest, etc., and can also be verified through third parties The code package adds other verification methods. The configuration items of form validation are as follows, I have commented some commonly used items:

form_login: check_path: /login_check # 登录校验URL login_path: /login # 登录表单页 use_forward: false always_use_default_target_path: false # 登录后是否总是跳向指定目标页 default_target_path: / # 登录后的目标页 target_path_parameter: _target_path # 在登录表单里指定目标页使用的input name use_referer: false failure_path: /foo failure_forward: false failure_handler: some.service.id # 自定义登录失败的处理 success_handler: some.service.id # 自定义登录成功的处理 username_parameter: _username # 登录表单里用户名的input name password_parameter: _password # 登录表单里用户名的input name csrf_parameter: _csrf_token intention: authenticate csrf_provider: my.csrf_provider.id post_only: true remember_me: false # 是否启用“记住我”功能

There are also built-in ACLs that provide more fine-grained control. But that’s another big chapter.

Thank you very much for your answer. The built-in ACL is indeed very powerful. Thank you