I use symfony sfDoctrineGuardPlugin to manage authentication for both frontend users and backend users. It's fine, except that I don't want frontend users to be able to login to the backend app. I can setup credentials, but credentials are checked after a user gets authenticated. What I want is to have sigin in form to never validate for a user, that is not in a backend group. How can I do this?

I think I found a better solution. sfDoctrineGuard plugin has its own post validator that checks for an optional callable for user retrival.

//app.yml
all:
  sf_guard_plugin:
    retrieve_by_username_callable: sfGuardUser::getForBackend

//sfGuardUser.class.php

  public static function getForBackend($username)
  {
    $query = Doctrine::getTable('sfGuardUser')->createQuery('u')
      ->leftJoin('u.Groups g')
      ->leftJoin('g.Permissions p')
      ->where('u.username = ? OR u.email_address = ?', array($username, $username))
      ->addWhere('u.is_active = ?', true)
      ->addWhere('p.name = ?', 'backend');

    return $query->fetchOne();
  }

Here's one idea: You could try creating a custom post-validator for the login form. Here's a Google result:

http://www.symfony-project.org/blog/2008/09/05/call-the-expert-how-to-implement-a-conditional-validator

In this validator, you could check whether the user belongs to the group in question and then throw an error accordingly. The user would not get authenticated.

I think you just have to add:

  storage:
    class: sfSessionStorage
    param:
      session_name: sf_backend

at the end of your backend/config/factories.yml By default, symfony shares session cookies, with this solution, symfony separate this cookies.