[Security] always check the token on non-lazy firewalls
This commit is contained in:
parent
2a91f28ed4
commit
797450d6b8
|
@ -18,6 +18,7 @@ use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface
|
|||
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
|
||||
use Symfony\Component\Security\Core\Exception\AuthenticationCredentialsNotFoundException;
|
||||
use Symfony\Component\Security\Http\AccessMapInterface;
|
||||
use Symfony\Component\Security\Http\Event\LazyResponseEvent;
|
||||
|
||||
/**
|
||||
* AccessListener enforces access control rules.
|
||||
|
@ -51,6 +52,10 @@ class AccessListener implements ListenerInterface
|
|||
*/
|
||||
public function __invoke(RequestEvent $event)
|
||||
{
|
||||
if (!$event instanceof LazyResponseEvent && null === $token = $this->tokenStorage->getToken()) {
|
||||
throw new AuthenticationCredentialsNotFoundException('A Token was not found in the TokenStorage.');
|
||||
}
|
||||
|
||||
$request = $event->getRequest();
|
||||
|
||||
list($attributes) = $this->map->getPatterns($request);
|
||||
|
@ -59,7 +64,7 @@ class AccessListener implements ListenerInterface
|
|||
return;
|
||||
}
|
||||
|
||||
if (null === $token = $this->tokenStorage->getToken()) {
|
||||
if ($event instanceof LazyResponseEvent && null === $token = $this->tokenStorage->getToken()) {
|
||||
throw new AuthenticationCredentialsNotFoundException('A Token was not found in the TokenStorage.');
|
||||
}
|
||||
|
||||
|
|
|
@ -18,6 +18,7 @@ use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterfac
|
|||
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
|
||||
use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
|
||||
use Symfony\Component\Security\Http\AccessMapInterface;
|
||||
use Symfony\Component\Security\Http\Event\LazyResponseEvent;
|
||||
use Symfony\Component\Security\Http\Firewall\AccessListener;
|
||||
|
||||
class AccessListenerTest extends TestCase
|
||||
|
@ -219,7 +220,7 @@ class AccessListenerTest extends TestCase
|
|||
->willReturn($request)
|
||||
;
|
||||
|
||||
$listener($event);
|
||||
$listener(new LazyResponseEvent($event));
|
||||
}
|
||||
|
||||
public function testHandleWhenTheSecurityTokenStorageHasNoToken()
|
||||
|
|
Reference in New Issue