Page 1 of 1

Aimeos secure Admin with Neos 3.0

Posted: 11 Mar 2017, 00:17
by beo6
Hello,

i successfully installed Aimeos into a Neos 3.0 installation.

However i am struggling a bit with securing the admin interface.

I noticed it is accessible for everyone by default. (really bad. :shock: )

So i have to use the Flow/Neos authentication for it.

But it seems when i enable it, it just is still not authenticated correctly.

I basicly only want to allow Neos Backend users to access the shop admin interface.

So i came up with this Policy.yaml

Code: Select all

privilegeTargets:
  Neos\Flow\Security\Authorization\Privilege\Method\MethodPrivilege:
    'MyShop:AllActions':
      matcher: 'method(Aimeos\Shop\Controller\(Catalog|Locale|Account|Basket|Checkout|Page|Jsonapi)Controller->(.*)Action())'

    'MyShop:AdminActions':
      matcher: 'method(Aimeos\Shop\Controller\(Admin|Extadm|Jsonadm|Jqadm)Controller->(.*)Action())'


roles:
  'Neos.Neos:Editor':
    privileges:
      -
        privilegeTarget: 'MyShop:AllActions'
        permission: GRANT
      -
        privilegeTarget: 'MyShop:AdminActions'
        permission: GRANT

  'Neos.Flow:Everybody':
    privileges:
      -
        privilegeTarget: 'MyShop:AllActions'
        permission: GRANT
that way, "/shop/list" is still accessible, but "/shop/extadm"
gives me the following error:
Could not authenticate any token.

Might be missing or wrong credentials or no authentication provider matched.
Evaluated following 1 privilege target(s):
"MyShop:AdminActions": ABSTAIN
(0 granted, 0 denied, 1 abstained)
Exception Code 1222204027
Exception Type Neos\Flow\Security\Exception\NoTokensAuthenticatedException
Log Reference 2017031101161041677b
Thrown in File Data/Temporary/Development/Cache/Code/Flow_Object_Classes/Neos_Flow_Security_Authorization_Interceptor_PolicyEnforcement.php
Line 104
Original File Packages/Framework/Neos.Flow/Classes/Security/Authorization/Interceptor/PolicyEnforcement.php
(it doesn't matter if i am logged in to the Neos Backend or not.)

Anyone have already experience with this?

Would be thankful for any help. ;)

Re: Aimeos secure Admin with Neos 3.0

Posted: 15 Mar 2017, 09:33
by aimeos
There's currently a GitHub ticket about this topic:
https://github.com/aimeos/aimeos-flow/issues/16

Re: Aimeos secure Admin with Neos 3.0

Posted: 15 Mar 2017, 10:57
by beo6
Yes. Sorry thats my Ticket. :)

Will still look for the blocked OPTIONS requests, but other then that, the backend works including the login using the neos login page. :)

Re: Aimeos secure Admin with Neos 3.0

Posted: 22 Aug 2017, 13:05
by kimholberg
Been working on this BE authentication for the Aimeos Admin security. I followed the examples in the ticket
https://github.com/aimeos/aimeos-flow/issues/16 but cannot get it to accept the Neos admin user.

My codes is as follows and placed in Configuration under my own package:

Policy.yaml:

Code: Select all

privilegeTargets:
  Neos\Flow\Security\Authorization\Privilege\Method\MethodPrivilege:
    'MyShop:AllActions':
      matcher: 'method(Aimeos\Shop\Controller\(Catalog|Locale|Account|Basket|Checkout|Page|Jsonapi)Controller->(.*)Action())'
      
    'MyShop:AdminActions':
      matcher: 'method(Aimeos\Shop\Controller\(Admin|Extadm|Jsonadm|Jqadm)Controller->(.*)Action())'

roles:
  'Neos.Flow:ShopAdmin':
    privileges:
      -
        privilegeTarget: 'MyShop:AdminActions'
        permission: GRANT
        
  'Neos.Flow:Everybody':
    privileges:
      -
        privilegeTarget: 'MyShop:AllActions'
        permission: GRANT
And Settings.yaml

Code: Select all

Neos:
  Flow:
    security:
      authentication:
        providers:
          'Neos.Neos:Backend':
            requestPatterns:
              'MyShop:AdminControllers':
                pattern: 'ControllerObjectName'
                patternOptions:
                  controllerObjectNamePattern: 'Aimeos\Shop\Controller\(Admin|Extadm|Jsonadm|Jqadm).*'
I have ticket the box in Neos User Management for ShopAdmin, but still get error:
Might be missing or wrong credentials or no authentication provider matched.
Evaluated following 1 privilege target(s):
"MyShop:AdminActions": ABSTAIN
(0 granted, 0 denied, 1 abstained)


I think a general instruction in the doc's would be nice to have, so we have just a minimal security as default.

Regards

Re: Aimeos secure Admin with Neos 3.0

Posted: 22 Aug 2017, 15:38
by aimeos
If you can provide instructions how to get authentication for the Aimeos backend in Neos working, we will happily add it to the documentation :-)