Aimeos secure Admin with Neos 3.0

Questions around the TYPO3 integration and plugins as well as Flow and NeosCMS
Forum rules
Always add your TYPO3/Flow, Aimeos and PHP version as well as your environment (Linux/Mac/Win)
beo6
Posts: 2
Joined: 11 Mar 2017, 00:10

Aimeos secure Admin with Neos 3.0

Post by beo6 » 11 Mar 2017, 00:17

Hello,

i successfully installed Aimeos into a Neos 3.0 installation.

However i am struggling a bit with securing the admin interface.

I noticed it is accessible for everyone by default. (really bad. :shock: )

So i have to use the Flow/Neos authentication for it.

But it seems when i enable it, it just is still not authenticated correctly.

I basicly only want to allow Neos Backend users to access the shop admin interface.

So i came up with this Policy.yaml

Code: Select all

privilegeTargets:
  Neos\Flow\Security\Authorization\Privilege\Method\MethodPrivilege:
    'MyShop:AllActions':
      matcher: 'method(Aimeos\Shop\Controller\(Catalog|Locale|Account|Basket|Checkout|Page|Jsonapi)Controller->(.*)Action())'

    'MyShop:AdminActions':
      matcher: 'method(Aimeos\Shop\Controller\(Admin|Extadm|Jsonadm|Jqadm)Controller->(.*)Action())'


roles:
  'Neos.Neos:Editor':
    privileges:
      -
        privilegeTarget: 'MyShop:AllActions'
        permission: GRANT
      -
        privilegeTarget: 'MyShop:AdminActions'
        permission: GRANT

  'Neos.Flow:Everybody':
    privileges:
      -
        privilegeTarget: 'MyShop:AllActions'
        permission: GRANT
that way, "/shop/list" is still accessible, but "/shop/extadm"
gives me the following error:
Could not authenticate any token.

Might be missing or wrong credentials or no authentication provider matched.
Evaluated following 1 privilege target(s):
"MyShop:AdminActions": ABSTAIN
(0 granted, 0 denied, 1 abstained)
Exception Code 1222204027
Exception Type Neos\Flow\Security\Exception\NoTokensAuthenticatedException
Log Reference 2017031101161041677b
Thrown in File Data/Temporary/Development/Cache/Code/Flow_Object_Classes/Neos_Flow_Security_Authorization_Interceptor_PolicyEnforcement.php
Line 104
Original File Packages/Framework/Neos.Flow/Classes/Security/Authorization/Interceptor/PolicyEnforcement.php
(it doesn't matter if i am logged in to the Neos Backend or not.)

Anyone have already experience with this?

Would be thankful for any help. ;)

User avatar
aimeos
Administrator
Posts: 3114
Joined: 01 Jan 1970, 00:00

Re: Aimeos secure Admin with Neos 3.0

Post by aimeos » 15 Mar 2017, 09:33

There's currently a GitHub ticket about this topic:
https://github.com/aimeos/aimeos-flow/issues/16
Professional support and custom implementation are available at Aimeos.com
If you like Aimeos, Image give us a star

beo6
Posts: 2
Joined: 11 Mar 2017, 00:10

Re: Aimeos secure Admin with Neos 3.0

Post by beo6 » 15 Mar 2017, 10:57

Yes. Sorry thats my Ticket. :)

Will still look for the blocked OPTIONS requests, but other then that, the backend works including the login using the neos login page. :)

kimholberg
Posts: 29
Joined: 21 Aug 2017, 09:42

Re: Aimeos secure Admin with Neos 3.0

Post by kimholberg » 22 Aug 2017, 13:05

Been working on this BE authentication for the Aimeos Admin security. I followed the examples in the ticket
https://github.com/aimeos/aimeos-flow/issues/16 but cannot get it to accept the Neos admin user.

My codes is as follows and placed in Configuration under my own package:

Policy.yaml:

Code: Select all

privilegeTargets:
  Neos\Flow\Security\Authorization\Privilege\Method\MethodPrivilege:
    'MyShop:AllActions':
      matcher: 'method(Aimeos\Shop\Controller\(Catalog|Locale|Account|Basket|Checkout|Page|Jsonapi)Controller->(.*)Action())'
      
    'MyShop:AdminActions':
      matcher: 'method(Aimeos\Shop\Controller\(Admin|Extadm|Jsonadm|Jqadm)Controller->(.*)Action())'

roles:
  'Neos.Flow:ShopAdmin':
    privileges:
      -
        privilegeTarget: 'MyShop:AdminActions'
        permission: GRANT
        
  'Neos.Flow:Everybody':
    privileges:
      -
        privilegeTarget: 'MyShop:AllActions'
        permission: GRANT
And Settings.yaml

Code: Select all

Neos:
  Flow:
    security:
      authentication:
        providers:
          'Neos.Neos:Backend':
            requestPatterns:
              'MyShop:AdminControllers':
                pattern: 'ControllerObjectName'
                patternOptions:
                  controllerObjectNamePattern: 'Aimeos\Shop\Controller\(Admin|Extadm|Jsonadm|Jqadm).*'
I have ticket the box in Neos User Management for ShopAdmin, but still get error:
Might be missing or wrong credentials or no authentication provider matched.
Evaluated following 1 privilege target(s):
"MyShop:AdminActions": ABSTAIN
(0 granted, 0 denied, 1 abstained)


I think a general instruction in the doc's would be nice to have, so we have just a minimal security as default.

Regards
Neos 3.2.0 - Bitnami AWS C2 - Aimeos 2017-10.1

User avatar
aimeos
Administrator
Posts: 3114
Joined: 01 Jan 1970, 00:00

Re: Aimeos secure Admin with Neos 3.0

Post by aimeos » 22 Aug 2017, 15:38

If you can provide instructions how to get authentication for the Aimeos backend in Neos working, we will happily add it to the documentation :-)
Professional support and custom implementation are available at Aimeos.com
If you like Aimeos, Image give us a star

Post Reply