Symfony2 Firewall: protect /web folder

Question

I am developping a SF2 web-app which is fully behind a firewall: nobody shouldn't be able to see or modify anything before behing logged (except login form, of course).

So here is the firewall part of my security.yml file:

firewalls:
    dev:
        pattern:  ^/(_(profiler|wdt)|css|images|js)/
        security: false
    main_login:
        pattern:   ^/login$
        anonymous: true
    main:
        pattern:        ^/
        anonymous:      false
        form_login:
            login_path: fos_user_security_login
            check_path: fos_user_security_check
        logout:
            path:       fos_user_security_logout
            target:     /

This works fine: if I type the url http://mywebsite.com/app.php/article/show/1 while unlogged, I am forwarded to the login page.

My problem is that I have some documents and media files located in Symfony's web directory (e.g. myapp/web/document/myTextFile.txt). They are accessible via my app for logged users, but also for non-logged users!

Anybody who types http://mywebsite.com/app.php/document/myTextFile.txt can download the file...

Why doesn't the pattern: ^/ line prevent this? Is the web folder excluded by default because it contains app.php and js/and css/ folder?

How do I protect my documents?

---

Update: Display protected images

I tried the solution suggested by Gerry, it works fine to protect the download of my documents.

However, I also have pictures in my document folder and I would like to display these pictures, directly included in the relevant pages.

For example, in http://mywebsite.com/app.php/article/show/1 there will be some text and the picture myapp/app/Resources/document/AAA.jpg, and in http://mywebsite.com/app.php/article/show/2 there will be some text and the picture myapp/app/Resources/document/BBB.jpg, etc.

I tried to do it with Assetic but it seems that it is done for "static" images (like top logo, or images which are not object-dependent).

A solution I see is to convert the image in Base64 and include it like this : <img alt="" src="data:image/png;base64(...)" />, but it seems really ugly...

Answer 1

The web directory is your public root directory, being served by the webserver (Apache/Nginx/...).

By default any request to an existing file does not pass Symfony at all, so no firewall setting is going to prevent access to files residing in the web root.

The clean solution is to move these files to another directory, outside the webroot, for example app/Resources/uploads. Then you could write a Symfony controller for downloading these files.

Answer 2

I don't have a working installation of Symfony right now, but try to move your documents from web, if will firewall proceed.

Let me know the answer please, will try to find out a solution if it will not work, or if you will not be able to move those files in production.