feature #18617 [Security] Allow an array of pattern in firewall configuration (alexandre-daubois)

OskarStark · OskarStark · commit 393823ca6e52 · 2023-08-01T08:12:33.000+02:00
This PR was merged into the 6.4 branch. Discussion ---------- [Security] Allow an array of pattern in firewall configuration Related to symfony/symfony#51128 Commits ------- 66a7330 [SecurityBundle] Allow an array of pattern in firewall configuration
diff --git a/security.rst b/security.rst
@@ -561,6 +561,55 @@ The ``dev`` firewall is really a fake firewall: it makes sure that you
 don't accidentally block Symfony's dev tools - which live under URLs like
 ``/_profiler`` and ``/_wdt``.
 
+.. tip::
+
+    Instead of creating one long regex to match all routes you want, you're
+    also able to use an array of simpler regexes to match routes:
+
+    .. configuration-block::
+
+        .. code-block:: yaml
+
+            # config/packages/security.yaml
+            security:
+                # ...
+                firewalls:
+                    dev:
+                        pattern:
+                            - ^/_profiler/
+                            - ^/_wdt/
+                            - ^/css/
+                            - ^/images/
+                            - ^/js/
+            # ...
+
+        .. code-block:: php
+
+            // config/packages/security.php
+            use Symfony\Config\SecurityConfig;
+
+            return static function (SecurityConfig $security): void {
+                // ...
+                $security->firewall('dev')
+                    ->pattern([
+                        '^/_profiler/',
+                        '^/_wdt/',
+                        '^/css/',
+                        '^/images/',
+                        '^/js/',
+                    ])
+                    ->security(false)
+                ;
+
+                // ...
+            };
+
+    This feature is not supported by the XML configuration format.
+
+    .. versionadded:: 6.4
+
+        The possibility to use an array of regex was introduced in Symfony 6.4.
+
 All *real* URLs are handled by the ``main`` firewall (no ``pattern`` key means
 it matches *all* URLs). A firewall can have many modes of authentication,
 in other words, it enables many ways to ask the question "Who are you?".
