[Security] Use LogoutException for invalid CSRF token in LogoutListener
On the advice of @schmittjoh, this commit adds a LogoutException class for use by LogoutListener if the CSRF token is invalid. The handling in the Security component's ExceptionListener is modeled after AccessDeniedException, which gets wrapped in an AccessDeniedHttpException in the absence of handler service or error page (I didn't think it was appropriate to re-use those for LogoutException).
This commit is contained in:
Jeremy Mikola
parent
a96105e332
commit
49a8654cb8
@ -0,0 +1,25 @@
|
||||
<?php
|
||||
|
||||
/*
|
||||
* This file is part of the Symfony package.
|
||||
*
|
||||
* (c) Fabien Potencier <fabien@symfony.com>
|
||||
*
|
||||
* For the full copyright and license information, please view the LICENSE
|
||||
* file that was distributed with this source code.
|
||||
*/
|
||||
|
||||
namespace Symfony\Component\Security\Core\Exception;
|
||||
|
||||
/**
|
||||
* LogoutException is thrown when the account cannot be logged out.
|
||||
*
|
||||
* @author Jeremy Mikola <jmikola@gmail.com>
|
||||
*/
|
||||
class LogoutException extends \RuntimeException
|
||||
{
|
||||
public function __construct($message = 'Logout Exception', \Exception $previous = null)
|
||||
{
|
||||
parent::__construct($message, 403, $previous);
|
||||
}
|
||||
}
|
||||
@ -20,6 +20,7 @@ use Symfony\Component\Security\Core\Exception\AccountStatusException;
|
||||
use Symfony\Component\Security\Core\Exception\AuthenticationException;
|
||||
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
|
||||
use Symfony\Component\Security\Core\Exception\InsufficientAuthenticationException;
|
||||
use Symfony\Component\Security\Core\Exception\LogoutException;
|
||||
use Symfony\Component\Security\Http\HttpUtils;
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
use Symfony\Component\HttpKernel\Log\LoggerInterface;
|
||||
@ -140,6 +141,14 @@ class ExceptionListener
|
||||
return;
|
||||
}
|
||||
}
|
||||
} elseif ($exception instanceof LogoutException) {
|
||||
if (null !== $this->logger) {
|
||||
$this->logger->info(sprintf('Logout exception occurred; wrapping with AccessDeniedHttpException (%s)', $exception->getMessage()));
|
||||
}
|
||||
|
||||
$event->setException(new AccessDeniedHttpException($exception->getMessage(), $exception));
|
||||
|
||||
return;
|
||||
} else {
|
||||
return;
|
||||
}
|
||||
|
||||
@ -16,7 +16,7 @@ use Symfony\Component\HttpFoundation\Request;
|
||||
use Symfony\Component\HttpFoundation\Response;
|
||||
use Symfony\Component\HttpKernel\Event\GetResponseEvent;
|
||||
use Symfony\Component\Security\Core\SecurityContextInterface;
|
||||
use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException;
|
||||
use Symfony\Component\Security\Core\Exception\LogoutException;
|
||||
use Symfony\Component\Security\Http\HttpUtils;
|
||||
use Symfony\Component\Security\Http\Logout\LogoutHandlerInterface;
|
||||
use Symfony\Component\Security\Http\Logout\LogoutSuccessHandlerInterface;
|
||||
@ -91,7 +91,7 @@ class LogoutListener implements ListenerInterface
|
||||
$csrfToken = $request->get($this->options['csrf_parameter'], null, true);
|
||||
|
||||
if (false === $this->csrfProvider->isCsrfTokenValid($this->options['intention'], $csrfToken)) {
|
||||
throw new InvalidCsrfTokenException('Invalid CSRF token.');
|
||||
throw new LogoutException('Invalid CSRF token.');
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -145,7 +145,7 @@ class LogoutListenerTest extends \PHPUnit_Framework_TestCase
|
||||
}
|
||||
|
||||
/**
|
||||
* @expectedException Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException
|
||||
* @expectedException Symfony\Component\Security\Core\Exception\LogoutException
|
||||
*/
|
||||
public function testCsrfValidationFails()
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user