How to restfully login, Symfony2 Security, FOSUserBundle, FOSRestBundle?
There are many ways to provide authentication and authorization to a REST Web Service but the most accepted one seems to be OAuth. Facebook, Twitter, Google, Github and the like use it.
The people at Friends Of Symfony has a bundle to implement OAuth authentication and authorization on Symfony2: https://github.com/FriendsOfSymfony/FOSOAuthServerBundle and I think this is what you are looking for.
EDIT: For more information on Oauth, the people at Cloudfoundry posted an interesting article a couple of days ago.
About other options you can use, a simple one is basic authentication:
firewalls: main: pattern: ^/rest anonymous: ~ form_login: false provider: fos_user_bundle http_basic: realm: "REST Service Realm"
EDIT2: As I see that there is still people voting this answer I think that it is needed to note that at the time of writing this answer JWT was not an option yet, but that maybe it is a better option than OAuth on some use cases (e.g. When the API is going to be consumed by your own apps). So here is a link to a good JWT implementation for Symfony2/3: https://github.com/lexik/LexikJWTAuthenticationBundle/blob/master/Resources/doc/index.md
You should not use CURL to authenticate the user with your web service.
Take a look into ResettingController.php (in FOSUserBundle/Controller) and LoginManager.php (in Security), there is an example how to authenticate the user using Symfony Security :
Controller/ResettingController.php
/** * Authenticate a user with Symfony Security * * @param \FOS\UserBundle\Model\UserInterface $user * @param \Symfony\Component\HttpFoundation\Response $response */protected function authenticateUser(UserInterface $user, Response $response){ try { $this->container->get('fos_user.security.login_manager')->loginUser( $this->container->getParameter('fos_user.firewall_name'), $user, $response); } catch (AccountStatusException $ex) { // We simply do not authenticate users which do not pass the user // checker (not enabled, expired, etc.). }}
and in Security/LoginManager.php
final public function loginUser($firewallName, UserInterface $user, Response $response = null){ $this->userChecker->checkPostAuth($user); $token = $this->createToken($firewallName, $user); if ($this->container->isScopeActive('request')) { $this->sessionStrategy->onAuthentication($this->container->get('request'), $token); if (null !== $response) { $rememberMeServices = null; if ($this->container->has('security.authentication.rememberme.services.persistent.'.$firewallName)) { $rememberMeServices = $this->container->get('security.authentication.rememberme.services.persistent.'.$firewallName); } elseif ($this->container->has('security.authentication.rememberme.services.simplehash.'.$firewallName)) { $rememberMeServices = $this->container->get('security.authentication.rememberme.services.simplehash.'.$firewallName); } if ($rememberMeServices instanceof RememberMeServicesInterface) { $rememberMeServices->loginSuccess($this->container->get('request'), $response, $token); } } } $this->securityContext->setToken($token);}