symfony/src/Symfony/Component/Security/CHANGELOG.md

CHANGELOG
=========

4.0.0
-----

 * The `AbstractFormLoginAuthenticator::onAuthenticationSuccess()` was removed.
   You should implement this method yourself in your concrete authenticator.
 * removed the `AccessDecisionManager::setVoters()` method
 * removed the `RoleInterface`
 * removed support for voters that don't implement the `VoterInterface`
 * added a sixth `string $context` argument to `LogoutUrlGenerator::registerListener()`
 * removed HTTP digest authentication
 * removed `GuardAuthenticatorInterface` in favor of `AuthenticatorInterface`
 * removed `AbstractGuardAuthenticator::supports()`

3.4.0
-----

 * Added `getUser`, `getToken` and `isGranted` methods to `Security`.
 * added a `setToken()` method to the `SwitchUserEvent` class to allow to replace the created token while switching users
   when custom token generation is required by application.
 * Using voters that do not implement the `VoterInterface`is now deprecated in
   the `AccessDecisionManager` and this functionality will be removed in 4.0.
 * Using the `ContextListener` without setting the `logoutOnUserChange`
   property will trigger a deprecation when the user has changed. As of 4.0
   the user will always be logged out when the user has changed between
   requests.
 * deprecated HTTP digest authentication
 * Added a new password encoder for the Argon2i hashing algorithm
 * deprecated `GuardAuthenticatorInterface` in favor of `AuthenticatorInterface`
 * deprecated to return `null` from `getCredentials()` in classes that extend
   `AbstractGuardAuthenticator`. Return `false` from `supports()` instead.

3.3.0
-----

 * deprecated `AccessDecisionManager::setVoters()` in favor of passing the
   voters to the constructor.
 * [EXPERIMENTAL] added a `json_login` listener for stateless authentication

3.2.0
-----

 * added `$attributes` and `$subject` with getters/setters to `Symfony\Component\Security\Core\Exception\AccessDeniedException`

3.0.0
-----

 * removed all deprecated code

2.8.0
-----

 * deprecated `getKey()` of the `AnonymousToken`, `RememberMeToken`,
   `AbstractRememberMeServices` and `DigestAuthenticationEntryPoint` classes in favor of `getSecret()`.
 * deprecated `Symfony\Component\Security\Core\Authentication\SimplePreAuthenticatorInterface`, use
   `Symfony\Component\Security\Http\Authentication\SimplePreAuthenticatorInterface` instead
 * deprecated `Symfony\Component\Security\Core\Authentication\SimpleFormAuthenticatorInterface`, use
   `Symfony\Component\Security\Http\Authentication\SimpleFormAuthenticatorInterface` instead
 * deprecated `Symfony\Component\Security\Core\Util\ClassUtils`, use
   `Symfony\Component\Security\Acl\Util\ClassUtils` instead
 * deprecated the `Symfony\Component\Security\Core\Util\SecureRandom` class in favor of the `random_bytes()` function
 * deprecated `supportsAttribute()` and `supportsClass()` methods of
   `Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface` and
   `Symfony\Component\Security\Core\Authorization\Voter\VoterInterface`.
 * deprecated `getSupportedAttributes()` and `getSupportedClasses()` methods of
   `Symfony\Component\Security\Core\Authorization\Voter\AbstractVoter`, use `supports()` instead.
 * deprecated the `intention` option for all the authentication listeners,
   use the `csrf_token_id` option instead.

2.7.0
-----

 * added LogoutUrlGenerator
 * added the triggering of the `Symfony\Component\Security\Http\SecurityEvents::INTERACTIVE_LOGIN` in `Symfony\Component\Security\Http\Firewall\SimplePreAuthenticationListener`
 * The MaskBuilder logic has been abstracted in the `Symfony\Component\Security\Acl\Permission\AbstractMaskBuilder`
   and described in the `Symfony\Component\Security\Acl\Permission\MaskBuilderInterface`
 * added interface `Symfony\Component\Security\Acl\Permission\MaskBuilderRetrievalInterface`

2.6.0
-----

 * added Symfony\Component\Security\Http\Authentication\AuthenticationUtils
 * Deprecated the `SecurityContext` class in favor of the `AuthorizationChecker` and `TokenStorage` classes

2.4.0
-----

 * Translations in the `src/Symfony/Component/Security/Resources/translations/` directory are deprecated, ones in `src/Symfony/Component/Security/Core/Resources/translations/` must be used instead.
 * The switch user listener now preserves the query string when switching a user
 * The remember-me cookie hashes now use HMAC, which means that current cookies will be invalidated
 * added simpler customization options
 * structured component into three sub-components Acl, Core and Http
 * added Csrf sub-component
 * changed Http sub-component to depend on Csrf sub-component instead of the Form component

2.3.0
-----

 * [BC BREAK] the BCrypt encoder constructor signature has changed (the first argument was removed)
   To use the BCrypt encoder, you now need PHP 5.5 or "ircmaxell/password-compat" as a composer dependency
 * [BC BREAK] return 401 instead of 500 when using use_forward during for form authentication
 * added a `require_previous_session` option to `AbstractAuthenticationListener`

2.2.0
-----

 * `Symfony\Component\Security\Http\Firewall` and
   `Symfony\Component\Security\Http\RememberMe\ResponseListener` now
   implements EventSubscriberInterface
 * added secure random number generator
 * added PBKDF2 Password encoder
 * added BCrypt password encoder

2.1.0
-----

 * [BC BREAK] The signature of ExceptionListener has changed
 * changed the HttpUtils constructor signature to take a UrlGenerator and a UrlMatcher instead of a Router
 * EncoderFactoryInterface::getEncoder() can now also take a class name as an argument
 * allow switching to the user that is already impersonated
 * added support for the remember_me parameter in the query
 * added AccessMapInterface
 * [BC BREAK] moved user comparison logic out of UserInterface
 * made the logout path check configurable
 * after login, the user is now redirected to `default_target_path` if
   `use_referer` is true and the referrer is the `login_path`.
 * added a way to remove a token from a session
 * [BC BREAK] changed `MutableAclInterface::setParentAcl` to accept `null`,
   review your implementation to reflect this change.
 * `ObjectIdentity::fromDomainObject`, `UserSecurityIdentity::fromAccount` and
   `UserSecurityIdentity::fromToken` now return correct identities for proxies
   objects (e.g. Doctrine proxies)
 * [BC BREAK] moved the default authentication success and failure handling to
   separate classes. The order of arguments in the constructor of the
   `AbstractAuthenticationListener` has changed.
 * [BC BREAK] moved the default logout success handling to a separate class. The
   order of arguments in the constructor of `LogoutListener` has changed.
 * [BC BREAK] The constructor of `AuthenticationException` and all child
   classes now matches the constructor of `\Exception`. The extra information
   getters and setters are removed. There are now dedicated getters/setters for
   token (`AuthenticationException'), user (`AccountStatusException`) and
   username (`UsernameNotFoundException`).
[Security] added CHANGELOG 2012-04-26 21:30:56 +01:00			`CHANGELOG`
			`=========`

[SecurityBundle][Security][Finder] Remove deprecated code paths - [Finder] Removed `ExceptionInterface` - [SecurityBundle] remove `UserPasswordEncoderCommand` BC layer - [Security] remove `LogoutUrlGenerator::registerListener` BC layer 2017-05-18 06:25:38 +01:00			`4.0.0`
			`-----`

[Security] remove deprecated features 2017-05-21 10:46:47 +01:00			* The `AbstractFormLoginAuthenticator::onAuthenticationSuccess()` was removed.
			`You should implement this method yourself in your concrete authenticator.`
			* removed the `AccessDecisionManager::setVoters()` method
			* removed the `RoleInterface`
[Security] remove support for defining voters that don't implement the VoterInterface interface. 2017-06-28 23:18:27 +01:00			* removed support for voters that don't implement the `VoterInterface`
			* added a sixth `string $context` argument to `LogoutUrlGenerator::registerListener()`
[Security][SecurityBundle] Remove the HTTP digest auth 2017-09-26 18:05:58 +01:00			`* removed HTTP digest authentication`
[Security][Guard] Remove GuardAuthenticatorInterface 2017-10-05 18:29:32 +01:00			* removed `GuardAuthenticatorInterface` in favor of `AuthenticatorInterface`
			* removed `AbstractGuardAuthenticator::supports()`
[SecurityBundle][Security][Finder] Remove deprecated code paths - [Finder] Removed `ExceptionInterface` - [SecurityBundle] remove `UserPasswordEncoderCommand` BC layer - [Security] remove `LogoutUrlGenerator::registerListener` BC layer 2017-05-18 06:25:38 +01:00
[Security] Trigger a deprecation when a voter is missing the VoterInterface 2017-05-04 08:35:02 +01:00			`3.4.0`
			`-----`

Adding a shortcuts for the main security functionality 2017-09-26 20:22:45 +01:00			* Added `getUser`, `getToken` and `isGranted` methods to `Security`.
Passing the newly generated security token to the event during user switching. Event allows listeners to easily switch out the token if custom token updates are required 2017-04-19 17:13:04 +01:00			* added a `setToken()` method to the `SwitchUserEvent` class to allow to replace the created token while switching users
Merge branch '2.8' into 3.4 * 2.8: [HttpKernel] Fix restoring trusted proxies in tests CODEOWNERS: some more rules 2018-05-31 11:13:22 +01:00			`when custom token generation is required by application.`
[Security] Trigger a deprecation when a voter is missing the VoterInterface 2017-05-04 08:35:02 +01:00			* Using voters that do not implement the `VoterInterface`is now deprecated in
			the `AccessDecisionManager` and this functionality will be removed in 4.0.
[Security] Deprecated not being logged out after user change 2017-08-14 09:19:33 +01:00			* Using the `ContextListener` without setting the `logoutOnUserChange`
			`property will trigger a deprecation when the user has changed. As of 4.0`
			`the user will always be logged out when the user has changed between`
			`requests.`
[Security][SecurityBundle] Deprecate the HTTP digest auth 2017-09-26 18:05:58 +01:00			`* deprecated HTTP digest authentication`
Argon2i Password Encoder Add the Argon2i hashing algorithm provided by libsodium as a core encoder in the Security component, and enable it in the SecurityBundle. Credit to @chalasr for help with unit tests. 2017-09-26 13:56:45 +01:00			`* Added a new password encoder for the Argon2i hashing algorithm`
Fix BC layer 2017-10-05 08:59:11 +01:00			* deprecated `GuardAuthenticatorInterface` in favor of `AuthenticatorInterface`
Merge branch '2.8' into 3.4 * 2.8: [HttpKernel] Fix restoring trusted proxies in tests CODEOWNERS: some more rules 2018-05-31 11:13:22 +01:00			* deprecated to return `null` from `getCredentials()` in classes that extend
Update UPGRADE-4.0.md This https://github.com/symfony/symfony/blob/3.4/src/Symfony/Component/Security/Guard/Firewall/GuardAuthenticationListener.php#L127 was not reported. 2018-05-30 10:57:41 +01:00			`AbstractGuardAuthenticator`. Return `false` from `supports()` instead.
[Security] Trigger a deprecation when a voter is missing the VoterInterface 2017-05-04 08:35:02 +01:00
Use IteratorArgument for voters 2017-03-01 15:05:29 +00:00			`3.3.0`
			`-----`

fixed wording 2017-04-04 20:45:53 +01:00			* deprecated `AccessDecisionManager::setVoters()` in favor of passing the
			`voters to the constructor.`
[Security] Allow to set a check_path on json_login listener 2017-04-13 18:48:35 +01:00			* [EXPERIMENTAL] added a `json_login` listener for stateless authentication
Use IteratorArgument for voters 2017-03-01 15:05:29 +00:00
[Security] Expose the required roles in AccessDeniedException 2016-04-28 10:12:15 +01:00			`3.2.0`
			`-----`

AccessDeniedException: rename object to subject With this change the name is inline with what we use in the base voter interface. 2016-09-19 12:01:06 +01:00			* added `$attributes` and `$subject` with getters/setters to `Symfony\Component\Security\Core\Exception\AccessDeniedException`
[Security] Expose the required roles in AccessDeniedException 2016-04-28 10:12:15 +01:00
[Security] Remove deprecated interfaces 2015-09-03 20:29:24 +01:00			`3.0.0`
			`-----`

Updated CHANGELOG 2015-09-21 08:10:39 +01:00			`* removed all deprecated code`
[Security] Remove deprecated interfaces 2015-09-03 20:29:24 +01:00
[DX] [Security] Renamed Token#getKey() to getSecret() 2015-06-29 12:59:59 +01:00			`2.8.0`
			`-----`

Renamed key to secret 2015-11-07 17:29:53 +00:00			* deprecated `getKey()` of the `AnonymousToken`, `RememberMeToken`,
			`AbstractRememberMeServices` and `DigestAuthenticationEntryPoint` classes in favor of `getSecret()`.
[Security] Moved Simple{Form,Pre}AuthenticatorInterfaces to Security\Http 2015-06-28 13:36:46 +01:00			* deprecated `Symfony\Component\Security\Core\Authentication\SimplePreAuthenticatorInterface`, use
			`Symfony\Component\Security\Http\Authentication\SimplePreAuthenticatorInterface` instead
			* deprecated `Symfony\Component\Security\Core\Authentication\SimpleFormAuthenticatorInterface`, use
			`Symfony\Component\Security\Http\Authentication\SimpleFormAuthenticatorInterface` instead
Deprecated Security ClassUtils in favor of Acl ClassUtils 2015-08-25 11:07:24 +01:00			* deprecated `Symfony\Component\Security\Core\Util\ClassUtils`, use
			`Symfony\Component\Security\Acl\Util\ClassUtils` instead
Deprecate the SecureRandom class 2015-09-23 21:36:53 +01:00			* deprecated the `Symfony\Component\Security\Core\Util\SecureRandom` class in favor of the `random_bytes()` function
[Security] Deprecated supportsAttribute and supportsClass methods 2015-06-30 13:43:35 +01:00			* deprecated `supportsAttribute()` and `supportsClass()` methods of
			`Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface` and
			`Symfony\Component\Security\Core\Authorization\Voter\VoterInterface`.
			* deprecated `getSupportedAttributes()` and `getSupportedClasses()` methods of
			`Symfony\Component\Security\Core\Authorization\Voter\AbstractVoter`, use `supports()` instead.
[Security][SecurityBundle] Use csrf_token_id instead of deprecated intention 2015-11-28 11:32:42 +00:00			* deprecated the `intention` option for all the authentication listeners,
			use the `csrf_token_id` option instead.
[DX] [Security] Renamed Token#getKey() to getSecret() 2015-06-29 12:59:59 +01:00
[Security] Added the triggering of the security.interactive_login event after set of token 2014-11-12 22:47:12 +00:00			`2.7.0`
			`-----`

[SecurityBundle] decouple the logout PHP helper and Twig extension 2015-01-21 00:16:45 +00:00			`* added LogoutUrlGenerator`
			* added the triggering of the `Symfony\Component\Security\Http\SecurityEvents::INTERACTIVE_LOGIN` in `Symfony\Component\Security\Http\Firewall\SimplePreAuthenticationListener`
improved MaskBuilder 2015-03-20 22:18:31 +00:00			* The MaskBuilder logic has been abstracted in the `Symfony\Component\Security\Acl\Permission\AbstractMaskBuilder`
			and described in the `Symfony\Component\Security\Acl\Permission\MaskBuilderInterface`
added MaskBuilderRetrievalInterface 2015-03-20 22:35:10 +00:00			* added interface `Symfony\Component\Security\Acl\Permission\MaskBuilderRetrievalInterface`
[Security] Added the triggering of the security.interactive_login event after set of token 2014-11-12 22:47:12 +00:00
[SecurityBundle] error helper added symfony/symfony#11147 2014-07-05 15:07:05 +01:00			`2.6.0`
			`-----`

			`* added Symfony\Component\Security\Http\Authentication\AuthenticationUtils`
Split of the SecurityContext to AuthorizationChecker and TokenStorage 2014-09-24 08:31:12 +01:00			* Deprecated the `SecurityContext` class in favor of the `AuthorizationChecker` and `TokenStorage` classes
[SecurityBundle] error helper added symfony/symfony#11147 2014-07-05 15:07:05 +01:00
[Security] updated the CHANGELOG 2013-06-13 09:16:06 +01:00			`2.4.0`
			`-----`

added missing deprecation in CHANGELOG 2015-06-14 17:58:29 +01:00			* Translations in the `src/Symfony/Component/Security/Resources/translations/` directory are deprecated, ones in `src/Symfony/Component/Security/Core/Resources/translations/` must be used instead.
[Security] added a missing CHANGELOG enrty 2013-08-30 14:09:09 +01:00			`* The switch user listener now preserves the query string when switching a user`
[Security] updated CHANGELOG (refs #8195) 2013-07-21 20:36:38 +01:00			`* The remember-me cookie hashes now use HMAC, which means that current cookies will be invalidated`
[Security] updated the CHANGELOG 2013-06-13 09:16:06 +01:00			`* added simpler customization options`
[Security] Changed Security HTTP sub-component to depend on CSRF sub-component instead of Form 2013-09-27 08:23:44 +01:00			`* structured component into three sub-components Acl, Core and Http`
			`* added Csrf sub-component`
			`* changed Http sub-component to depend on Csrf sub-component instead of the Form component`
[Security] updated the CHANGELOG 2013-06-13 09:16:06 +01:00
[Security] added missing entry to the CHANGELOG 2013-03-23 13:30:20 +00:00			`2.3.0`
			`-----`

[Security] added more info about the BCrypt change (refs #7853) 2013-04-26 10:39:57 +01:00			`* [BC BREAK] the BCrypt encoder constructor signature has changed (the first argument was removed)`
			`To use the BCrypt encoder, you now need PHP 5.5 or "ircmaxell/password-compat" as a composer dependency`
[Security] Return 401 when using use_forward for form authentication 2013-02-04 09:27:49 +00:00			`* [BC BREAK] return 401 instead of 500 when using use_forward during for form authentication`
[Security] added missing entry to the CHANGELOG 2013-03-23 13:30:20 +00:00			* added a `require_previous_session` option to `AbstractAuthenticationListener`

[Security] Added Pbkdf2PasswordEncoder [Security] changed default iterations of Pbkdf2PasswordEncoder to 1000 instead of 5000 [Security] Improved description of PBKDF2 encoder [SecurityBundle] added PBKDF2 PasswordEncoder updated CHANGELOG.md [Security] Use the build-in hash_pbkdf2() when available [SecurityBundle] added information about hash_algorithm for configuration [Security] always check algorithm and fixed CS 2012-06-26 11:12:42 +01:00			`2.2.0`
			`-----`

[Security] updated CHANGELOG 2012-11-08 08:10:50 +00:00			* `Symfony\Component\Security\Http\Firewall` and
			`Symfony\Component\Security\Http\RememberMe\ResponseListener` now
			`implements EventSubscriberInterface`
renamed Prng to SecureRandom 2012-10-27 08:05:47 +01:00			`* added secure random number generator`
			`* added PBKDF2 Password encoder`
Added BCrypt password encoder. 2012-12-01 18:23:38 +00:00			`* added BCrypt password encoder`
[Security] Added Pbkdf2PasswordEncoder [Security] changed default iterations of Pbkdf2PasswordEncoder to 1000 instead of 5000 [Security] Improved description of PBKDF2 encoder [SecurityBundle] added PBKDF2 PasswordEncoder updated CHANGELOG.md [Security] Use the build-in hash_pbkdf2() when available [SecurityBundle] added information about hash_algorithm for configuration [Security] always check algorithm and fixed CS 2012-06-26 11:12:42 +01:00
[Security] added CHANGELOG 2012-04-26 21:30:56 +01:00			`2.1.0`
			`-----`

[Security] updated CHANGELOG 2012-07-02 18:29:27 +01:00			`* [BC BREAK] The signature of ExceptionListener has changed`
[Security] changed the HttpUtils constructor to tak both a UrlGenerator and a UrlMatcher instead of a Router (to make it useable by Silex) 2012-06-26 10:17:51 +01:00			`* changed the HttpUtils constructor signature to take a UrlGenerator and a UrlMatcher instead of a Router`
[Security] allowed class names to be passed as an argument to EncoderFactoryInterface::getEncoder() 2012-06-18 07:12:50 +01:00			`* EncoderFactoryInterface::getEncoder() can now also take a class name as an argument`
[Security] added CHANGELOG 2012-04-26 21:30:56 +01:00			`* allow switching to the user that is already impersonated`
			`* added support for the remember_me parameter in the query`
			`* added AccessMapInterface`
			`* [BC BREAK] moved user comparison logic out of UserInterface`
			`* made the logout path check configurable`
			* after login, the user is now redirected to `default_target_path` if
			`use_referer` is true and the referrer is the `login_path`.
			`* added a way to remove a token from a session`
			* [BC BREAK] changed `MutableAclInterface::setParentAcl` to accept `null`,
			`review your implementation to reflect this change.`
			* `ObjectIdentity::fromDomainObject`, `UserSecurityIdentity::fromAccount` and
			`UserSecurityIdentity::fromToken` now return correct identities for proxies
			`objects (e.g. Doctrine proxies)`
[Security] Add note to CHANGELOG about refactored authentication failure/success handling [Security] Various CS + doc fixes [Security] Exception when authentication failure/success handlers do not return a response [Security] Add authors + fix docblock 2012-06-21 08:49:20 +01:00			`* [BC BREAK] moved the default authentication success and failure handling to`
Fixed typos 2012-07-28 23:02:29 +01:00			`separate classes. The order of arguments in the constructor of the`
[Security] Add note to CHANGELOG about refactored authentication failure/success handling [Security] Various CS + doc fixes [Security] Exception when authentication failure/success handlers do not return a response [Security] Add authors + fix docblock 2012-06-21 08:49:20 +01:00			`AbstractAuthenticationListener` has changed.
Fixed typos 2012-07-28 23:02:29 +01:00			`* [BC BREAK] moved the default logout success handling to a separate class. The`
[Security] Add note to changelog about BC break 2012-07-14 15:07:27 +01:00			order of arguments in the constructor of `LogoutListener` has changed.
[Security] Add note about changed constructor to changelog 2012-07-15 15:00:04 +01:00			* [BC BREAK] The constructor of `AuthenticationException` and all child
[Security] Removed `get/setExtraInformation`, added `get/set(Token\|User)` 2012-07-15 16:26:18 +01:00			classes now matches the constructor of `\Exception`. The extra information
			`getters and setters are removed. There are now dedicated getters/setters for`
[Security] Introduced `UsernameNotFoundException#get/setUsername` 2012-07-15 16:38:53 +01:00			token (`AuthenticationException'), user (`AccountStatusException`) and
			username (`UsernameNotFoundException`).