Protecting Aimeos admin interface

Using Neos & Flow
1

Hi There,

Been working on Aimeos integration on my local Neos 3.1.0 installation and first priority is to protect the shop admin interface, so only ShopAdmin can access the page. I know that Sascha Löffler and Søren Malling (on Slack) has been working on the same issue, but nothing seems to have been solved.

Installing Aimeos went well and i can see both list view (the shop) and the admin interface.

My configuration for restricting access is as follows:

Setting.yaml (in my package Configuration folder):

Neos:
  Flow:
    security:
      authentication:
        providers:
          'Neos.Neos:Backend':
            requestPatterns:
              'MyShop:AdminControllers':
                pattern: 'ControllerObjectName'
                patternOptions:
                  controllerObjectNamePattern: 'Aimeos\Shop\Controller\(Admin|Extadm|Jsonadm|Jqadm).*'

Policy.yaml (in my package Configuration folder):

privilegeTargets:

  'Neos\Flow\Security\Authorization\Privilege\Method\MethodPrivilege':
  
    'MyShop:AllActions':
      matcher: 'method(Aimeos\Shop\Controller\(Catalog|Locale|Account|Basket|Checkout|Page|Jsonapi)Controller->(.*)Action())'
      
    'MyShop:AdminActions':
      matcher: 'method(Aimeos\Shop\Controller\(Admin|Extadm|Jsonadm|Jqadm)Controller->(.*)Action())'

roles:

  'Aimeos.Shop:ShopAdmin':
    privileges:
      -
        privilegeTarget: 'MyShop:AdminActions'
        permission: GRANT
        
  'Neos.Flow:Everybody':
    privileges:
      -
        privilegeTarget: 'MyShop:AllActions'
        permission: GRANT

I have tested around with different users like Administrator, Editor - and also checked that user Everybody works in different modes.

It seems Token is not sent or accepted, as i get this error:

Could not authenticate any token.

Might be missing or wrong credentials or no authentication provider matched.
Evaluated following 1 privilege target(s):
“MyShop:AdminActions”: ABSTAIN
(0 granted, 0 denied, 1 abstained)

Exception Code 1222204027
Exception Type Neos\Flow\Security\Exception\NoTokensAuthenticatedException
Log Reference 201708230158528c4cba
Thrown in File Data/Temporary/Development/Cache/Code/Flow_Object_Classes/Neos_Flow_Security_Authorization_Interceptor_PolicyEnforcement.php
Line 104
Original File Packages/Framework/Neos.Flow/Classes/Security/Authorization/Interceptor/PolicyEnforcement.php

Does anyone have any idea how to solve this, or maybe come up with another approach?

regards,

Kim Holberg Andersen