[Security] Changed Security HTTP sub-component to depend on CSRF sub-component instead of Form
This commit is contained in:
Bernhard Schussek
parent
1bf16400fb
commit
85d49597a9
@ -7,6 +7,9 @@ CHANGELOG
|
||||
* The switch user listener now preserves the query string when switching a user
|
||||
* The remember-me cookie hashes now use HMAC, which means that current cookies will be invalidated
|
||||
* added simpler customization options
|
||||
* structured component into three sub-components Acl, Core and Http
|
||||
* added Csrf sub-component
|
||||
* changed Http sub-component to depend on Csrf sub-component instead of the Form component
|
||||
|
||||
2.3.0
|
||||
-----
|
||||
|
||||
@ -11,12 +11,12 @@
|
||||
|
||||
namespace Symfony\Component\Security\Http\Firewall;
|
||||
|
||||
use Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface;
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
use Symfony\Component\HttpFoundation\Response;
|
||||
use Symfony\Component\HttpKernel\Event\GetResponseEvent;
|
||||
use Symfony\Component\Security\Core\SecurityContextInterface;
|
||||
use Symfony\Component\Security\Core\Exception\LogoutException;
|
||||
use Symfony\Component\Security\Csrf\CsrfTokenGeneratorInterface;
|
||||
use Symfony\Component\Security\Http\HttpUtils;
|
||||
use Symfony\Component\Security\Http\Logout\LogoutHandlerInterface;
|
||||
use Symfony\Component\Security\Http\Logout\LogoutSuccessHandlerInterface;
|
||||
@ -34,18 +34,18 @@ class LogoutListener implements ListenerInterface
|
||||
private $handlers;
|
||||
private $successHandler;
|
||||
private $httpUtils;
|
||||
private $csrfProvider;
|
||||
private $csrfTokenGenerator;
|
||||
|
||||
/**
|
||||
* Constructor
|
||||
*
|
||||
* @param SecurityContextInterface $securityContext
|
||||
* @param HttpUtils $httpUtils An HttpUtilsInterface instance
|
||||
* @param LogoutSuccessHandlerInterface $successHandler A LogoutSuccessHandlerInterface instance
|
||||
* @param array $options An array of options to process a logout attempt
|
||||
* @param CsrfProviderInterface $csrfProvider A CsrfProviderInterface instance
|
||||
* @param HttpUtils $httpUtils An HttpUtilsInterface instance
|
||||
* @param LogoutSuccessHandlerInterface $successHandler A LogoutSuccessHandlerInterface instance
|
||||
* @param array $options An array of options to process a logout attempt
|
||||
* @param CsrfTokenGeneratorInterface $csrfTokenGenerator A CsrfTokenGeneratorInterface instance
|
||||
*/
|
||||
public function __construct(SecurityContextInterface $securityContext, HttpUtils $httpUtils, LogoutSuccessHandlerInterface $successHandler, array $options = array(), CsrfProviderInterface $csrfProvider = null)
|
||||
public function __construct(SecurityContextInterface $securityContext, HttpUtils $httpUtils, LogoutSuccessHandlerInterface $successHandler, array $options = array(), CsrfTokenGeneratorInterface $csrfTokenGenerator = null)
|
||||
{
|
||||
$this->securityContext = $securityContext;
|
||||
$this->httpUtils = $httpUtils;
|
||||
@ -55,7 +55,7 @@ class LogoutListener implements ListenerInterface
|
||||
'logout_path' => '/logout',
|
||||
), $options);
|
||||
$this->successHandler = $successHandler;
|
||||
$this->csrfProvider = $csrfProvider;
|
||||
$this->csrfTokenGenerator = $csrfTokenGenerator;
|
||||
$this->handlers = array();
|
||||
}
|
||||
|
||||
@ -72,7 +72,7 @@ class LogoutListener implements ListenerInterface
|
||||
/**
|
||||
* Performs the logout if requested
|
||||
*
|
||||
* If a CsrfProviderInterface instance is available, it will be used to
|
||||
* If a CsrfTokenGeneratorInterface instance is available, it will be used to
|
||||
* validate the request.
|
||||
*
|
||||
* @param GetResponseEvent $event A GetResponseEvent instance
|
||||
@ -89,10 +89,10 @@ class LogoutListener implements ListenerInterface
|
||||
return;
|
||||
}
|
||||
|
||||
if (null !== $this->csrfProvider) {
|
||||
if (null !== $this->csrfTokenGenerator) {
|
||||
$csrfToken = $request->get($this->options['csrf_parameter'], null, true);
|
||||
|
||||
if (false === $this->csrfProvider->isCsrfTokenValid($this->options['intention'], $csrfToken)) {
|
||||
if (false === $this->csrfTokenGenerator->isCsrfTokenValid($this->options['intention'], $csrfToken)) {
|
||||
throw new LogoutException('Invalid CSRF token.');
|
||||
}
|
||||
}
|
||||
|
||||
@ -13,10 +13,11 @@ namespace Symfony\Component\Security\Http\Firewall;
|
||||
|
||||
use Symfony\Component\EventDispatcher\EventDispatcherInterface;
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException;
|
||||
use Symfony\Component\Security\Csrf\CsrfTokenGeneratorInterface;
|
||||
use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
|
||||
use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
|
||||
use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
|
||||
use Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface;
|
||||
use Symfony\Component\Security\Core\Authentication\SimpleFormAuthenticatorInterface;
|
||||
use Symfony\Component\Security\Core\SecurityContextInterface;
|
||||
use Symfony\Component\Security\Http\HttpUtils;
|
||||
@ -29,7 +30,7 @@ use Psr\Log\LoggerInterface;
|
||||
class SimpleFormAuthenticationListener extends AbstractAuthenticationListener
|
||||
{
|
||||
private $simpleAuthenticator;
|
||||
private $csrfProvider;
|
||||
private $csrfTokenGenerator;
|
||||
|
||||
/**
|
||||
* Constructor.
|
||||
@ -46,16 +47,16 @@ class SimpleFormAuthenticationListener extends AbstractAuthenticationListener
|
||||
* @param LoggerInterface $logger A LoggerInterface instance
|
||||
* @param EventDispatcherInterface $dispatcher An EventDispatcherInterface instance
|
||||
* @param SimpleFormAuthenticatorInterface $simpleAuthenticator A SimpleFormAuthenticatorInterface instance
|
||||
* @param CsrfProviderInterface $csrfProvider A CsrfProviderInterface instance
|
||||
* @param CsrfTokenGeneratorInterface $csrfTokenGenerator A CsrfTokenGeneratorInterface instance
|
||||
*/
|
||||
public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager, SessionAuthenticationStrategyInterface $sessionStrategy, HttpUtils $httpUtils, $providerKey, AuthenticationSuccessHandlerInterface $successHandler, AuthenticationFailureHandlerInterface $failureHandler, array $options = array(), LoggerInterface $logger = null, EventDispatcherInterface $dispatcher = null, CsrfProviderInterface $csrfProvider = null, SimpleFormAuthenticatorInterface $simpleAuthenticator = null)
|
||||
public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager, SessionAuthenticationStrategyInterface $sessionStrategy, HttpUtils $httpUtils, $providerKey, AuthenticationSuccessHandlerInterface $successHandler, AuthenticationFailureHandlerInterface $failureHandler, array $options = array(), LoggerInterface $logger = null, EventDispatcherInterface $dispatcher = null, CsrfTokenGeneratorInterface $csrfTokenGenerator = null, SimpleFormAuthenticatorInterface $simpleAuthenticator = null)
|
||||
{
|
||||
if (!$simpleAuthenticator) {
|
||||
throw new \InvalidArgumentException('Missing simple authenticator');
|
||||
}
|
||||
|
||||
$this->simpleAuthenticator = $simpleAuthenticator;
|
||||
$this->csrfProvider = $csrfProvider;
|
||||
$this->csrfTokenGenerator = $csrfTokenGenerator;
|
||||
|
||||
$options = array_merge(array(
|
||||
'username_parameter' => '_username',
|
||||
@ -84,10 +85,10 @@ class SimpleFormAuthenticationListener extends AbstractAuthenticationListener
|
||||
*/
|
||||
protected function attemptAuthentication(Request $request)
|
||||
{
|
||||
if (null !== $this->csrfProvider) {
|
||||
if (null !== $this->csrfTokenGenerator) {
|
||||
$csrfToken = $request->get($this->options['csrf_parameter'], null, true);
|
||||
|
||||
if (false === $this->csrfProvider->isCsrfTokenValid($this->options['intention'], $csrfToken)) {
|
||||
if (false === $this->csrfTokenGenerator->isCsrfTokenValid($this->options['intention'], $csrfToken)) {
|
||||
throw new InvalidCsrfTokenException('Invalid CSRF token.');
|
||||
}
|
||||
}
|
||||
|
||||
@ -11,9 +11,9 @@
|
||||
|
||||
namespace Symfony\Component\Security\Http\Firewall;
|
||||
|
||||
use Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface;
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
use Psr\Log\LoggerInterface;
|
||||
use Symfony\Component\Security\Csrf\CsrfTokenGeneratorInterface;
|
||||
use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
|
||||
use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
|
||||
use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface;
|
||||
@ -32,12 +32,12 @@ use Symfony\Component\EventDispatcher\EventDispatcherInterface;
|
||||
*/
|
||||
class UsernamePasswordFormAuthenticationListener extends AbstractAuthenticationListener
|
||||
{
|
||||
private $csrfProvider;
|
||||
private $csrfTokenGenerator;
|
||||
|
||||
/**
|
||||
* {@inheritdoc}
|
||||
*/
|
||||
public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager, SessionAuthenticationStrategyInterface $sessionStrategy, HttpUtils $httpUtils, $providerKey, AuthenticationSuccessHandlerInterface $successHandler, AuthenticationFailureHandlerInterface $failureHandler, array $options = array(), LoggerInterface $logger = null, EventDispatcherInterface $dispatcher = null, CsrfProviderInterface $csrfProvider = null)
|
||||
public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager, SessionAuthenticationStrategyInterface $sessionStrategy, HttpUtils $httpUtils, $providerKey, AuthenticationSuccessHandlerInterface $successHandler, AuthenticationFailureHandlerInterface $failureHandler, array $options = array(), LoggerInterface $logger = null, EventDispatcherInterface $dispatcher = null, CsrfTokenGeneratorInterface $csrfTokenGenerator = null)
|
||||
{
|
||||
parent::__construct($securityContext, $authenticationManager, $sessionStrategy, $httpUtils, $providerKey, $successHandler, $failureHandler, array_merge(array(
|
||||
'username_parameter' => '_username',
|
||||
@ -47,7 +47,7 @@ class UsernamePasswordFormAuthenticationListener extends AbstractAuthenticationL
|
||||
'post_only' => true,
|
||||
), $options), $logger, $dispatcher);
|
||||
|
||||
$this->csrfProvider = $csrfProvider;
|
||||
$this->csrfTokenGenerator = $csrfTokenGenerator;
|
||||
}
|
||||
|
||||
/**
|
||||
@ -67,10 +67,10 @@ class UsernamePasswordFormAuthenticationListener extends AbstractAuthenticationL
|
||||
*/
|
||||
protected function attemptAuthentication(Request $request)
|
||||
{
|
||||
if (null !== $this->csrfProvider) {
|
||||
if (null !== $this->csrfTokenGenerator) {
|
||||
$csrfToken = $request->get($this->options['csrf_parameter'], null, true);
|
||||
|
||||
if (false === $this->csrfProvider->isCsrfTokenValid($this->options['intention'], $csrfToken)) {
|
||||
if (false === $this->csrfTokenGenerator->isCsrfTokenValid($this->options['intention'], $csrfToken)) {
|
||||
throw new InvalidCsrfTokenException('Invalid CSRF token.');
|
||||
}
|
||||
}
|
||||
|
||||
@ -28,7 +28,7 @@
|
||||
"psr/log": "~1.0"
|
||||
},
|
||||
"suggest": {
|
||||
"symfony/form": "",
|
||||
"symfony/security-csrf": "",
|
||||
"symfony/routing": ""
|
||||
},
|
||||
"autoload": {
|
||||
|
||||
Reference in New Issue
Block a user