When I set 'deny_by_default' ('zf-mvc-auth' component) to true, I get 403 "Forbidden" on all pages of the site

I am trying to use oauth2 with apigility within zf3 project too. At current moment I have faced with next situation: when I am setting ‘deny_by_default’ to true, I get 403 “Forbiddeb” on all pages of the site even at non API urls. I mean, the home page of my site shows 403 too.

This is my config:

'zf-mvc-auth' => [
        'authentication' => [
            'map' => [
                '\\Admin\\Module\\User\\V1' => 'oauth2_pdo',
        'authorization' => [
            'deny_by_default' => true,
            '\\Admin\\Module\\User\\V1\\Rest\\Item\\Controller' => [
                'collection' => [
                    'GET' => true,
                    'POST' => true,
                    'PUT' => false,
                    'PATCH' => false,
                    'DELETE' => false,
                'entity' => [
                    'GET' => true,
                    'POST' => false,
                    'PUT' => true,
                    'PATCH' => true,
                    'DELETE' => true,

I have apigility admin at the another project and generate there what I need. After that I copy generated config to my project.
It looks like I have missed something. When I remove deny_by_default or set it to false everything works as before but my API is allowed to see without authentication.

I have this json response on all pages (at home page too):


How to fix this?

This article may help: https://blog.tomhanderson.com/2017/10/using-zf-mvc-auth-for-custom.html

It’s not as easy as just a config variable but once all your ACL is in place you’ll have better control of your permissions.

1 Like

I followed by this tutorial https://apigility.org/documentation/auth/user-differentiation but your example contains doctrine which is exactly what I need. Thank you!

Also I have figured out why I had 403 everywhere. I had to add acl resources to the authorization listener.

I have fixed 403 at nonAPI pages but still have 403 at all REST API links.

Tom, can you clear for me one moment from your blog post at https://blog.tomhanderson.com/2017/10/using-zf-mvc-auth-for-custom.html?
At first you have wrote this:

'zf-mvc-auth' => array(
        'authentication' => array(
            'adapters' => array(
                'user' => [
                    'adapter' => 'User\\Authentication\\Adapter\\DoctrineAdapter',
                    'storage' => [

where the name of adapter is “DoctrineAdapter”. Later at that post you have mentioned this:

final class AuthenticationAdapter implements

Is the “AuthenticationAdapter” the same as “DoctrineAdapter” from config?

Also, at this page https://apigility.org/documentation/auth/user-differentiation have mentioned about “final class SessionAdapter” but later at that docs is this code:

// Add Authentication Adapter for session
        $defaultAuthenticationListener = $container->get(DefaultAuthenticationListener::class);
        $defaultAuthenticationListener->attach(new Authentication\AuthenticationAdapter());

Is “SessionAdapter” and “AuthenticationAdapter” the same thing? Because, I used it as same and rename second class to first class.

@testuser I don’t get what you’re asking. If you’re still working on this add some links to the code with your question.

Hi, Tom! Thank you for replaying!
I have figured out this issue.

@testuser it is customary to describe what the issue was and how you solved it for those who come here later looking for help

@xerkus , I don’t remember exactly but If I am not mistaken the issue was related to that fact that ‘deny_by_default’ and ‘zf-mvc-auth’ was related only to guest users. And I was trying to config apigility for admin user.

I have created additional authorization listener and added something like this:

    $entityMehtods = [
    $authorization->allow('admin', '\\Admin\\Module\\News\\V1\\Rest\\Item\\Controller' . '::entity', $entityMehtods);

This works for me.

1 Like