[FrameworkBundle][SecurityBundle] Added service configuration for the new Security CSRF sub-component
This commit is contained in:
parent
2048cf6d35
commit
bf85e8365a
@ -6,6 +6,8 @@ CHANGELOG
|
|||||||
|
|
||||||
* allowed multiple IP addresses in profiler matcher settings
|
* allowed multiple IP addresses in profiler matcher settings
|
||||||
* added stopwatch helper to time templates with the WebProfilerBundle
|
* added stopwatch helper to time templates with the WebProfilerBundle
|
||||||
|
* added service definition for "security.secure_random" service
|
||||||
|
* added service definitions for the new Security CSRF sub-component
|
||||||
|
|
||||||
2.3.0
|
2.3.0
|
||||||
-----
|
-----
|
||||||
|
@ -56,6 +56,10 @@ class FrameworkExtension extends Extension
|
|||||||
|
|
||||||
$loader->load('debug_prod.xml');
|
$loader->load('debug_prod.xml');
|
||||||
|
|
||||||
|
// Enable services for CSRF protection (even without forms)
|
||||||
|
$loader->load('security.xml');
|
||||||
|
$loader->load('security_csrf.xml');
|
||||||
|
|
||||||
if ($container->getParameter('kernel.debug')) {
|
if ($container->getParameter('kernel.debug')) {
|
||||||
$loader->load('debug.xml');
|
$loader->load('debug.xml');
|
||||||
|
|
||||||
@ -158,9 +162,7 @@ class FrameworkExtension extends Extension
|
|||||||
if (!isset($config['session'])) {
|
if (!isset($config['session'])) {
|
||||||
throw new \LogicException('CSRF protection needs that sessions are enabled.');
|
throw new \LogicException('CSRF protection needs that sessions are enabled.');
|
||||||
}
|
}
|
||||||
if (!isset($config['secret'])) {
|
|
||||||
throw new \LogicException('CSRF protection needs a secret to be set.');
|
|
||||||
}
|
|
||||||
$loader->load('form_csrf.xml');
|
$loader->load('form_csrf.xml');
|
||||||
|
|
||||||
$container->setParameter('form.type_extension.csrf.enabled', true);
|
$container->setParameter('form.type_extension.csrf.enabled', true);
|
||||||
|
@ -4,15 +4,8 @@
|
|||||||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||||
xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
|
xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
|
||||||
|
|
||||||
<parameters>
|
|
||||||
<parameter key="form.csrf_provider.class">Symfony\Component\Form\Extension\Csrf\CsrfProvider\SessionCsrfProvider</parameter>
|
|
||||||
</parameters>
|
|
||||||
|
|
||||||
<services>
|
<services>
|
||||||
<service id="form.csrf_provider" class="%form.csrf_provider.class%">
|
<service id="form.csrf_provider" class="Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfTokenGeneratorAdapter" parent="security.csrf.token_generator" />
|
||||||
<argument type="service" id="session" />
|
|
||||||
<argument>%kernel.secret%</argument>
|
|
||||||
</service>
|
|
||||||
|
|
||||||
<service id="form.type_extension.csrf" class="Symfony\Component\Form\Extension\Csrf\Type\FormTypeCsrfExtension">
|
<service id="form.type_extension.csrf" class="Symfony\Component\Form\Extension\Csrf\Type\FormTypeCsrfExtension">
|
||||||
<tag name="form.type_extension" alias="form" />
|
<tag name="form.type_extension" alias="form" />
|
||||||
|
@ -0,0 +1,19 @@
|
|||||||
|
<?xml version="1.0" ?>
|
||||||
|
|
||||||
|
<container xmlns="http://symfony.com/schema/dic/services"
|
||||||
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||||
|
xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
|
||||||
|
|
||||||
|
<parameters>
|
||||||
|
<parameter key="security.secure_random.class">Symfony\Component\Security\Core\Util\SecureRandom</parameter>
|
||||||
|
</parameters>
|
||||||
|
|
||||||
|
<services>
|
||||||
|
<!-- Pseudo-Random Number Generator -->
|
||||||
|
<service id="security.secure_random" class="%security.secure_random.class%">
|
||||||
|
<tag name="monolog.logger" channel="security" />
|
||||||
|
<argument>%kernel.cache_dir%/secure_random.seed</argument>
|
||||||
|
<argument type="service" id="logger" on-invalid="ignore" />
|
||||||
|
</service>
|
||||||
|
</services>
|
||||||
|
</container>
|
@ -0,0 +1,22 @@
|
|||||||
|
<?xml version="1.0" ?>
|
||||||
|
|
||||||
|
<container xmlns="http://symfony.com/schema/dic/services"
|
||||||
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||||
|
xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
|
||||||
|
|
||||||
|
<parameters>
|
||||||
|
<parameter key="security.csrf.token_generator.class">Symfony\Component\Security\Csrf\CsrfTokenGenerator</parameter>
|
||||||
|
<parameter key="security.csrf.token_storage.class">Symfony\Component\Security\Csrf\TokenStorage\SessionTokenStorage</parameter>
|
||||||
|
</parameters>
|
||||||
|
|
||||||
|
<services>
|
||||||
|
<service id="security.csrf.token_storage" class="%security.csrf.token_storage.class%" public="false">
|
||||||
|
<argument type="service" id="session" />
|
||||||
|
</service>
|
||||||
|
|
||||||
|
<service id="security.csrf.token_generator" class="%security.csrf.token_generator.class%">
|
||||||
|
<argument type="service" id="security.csrf.token_storage" />
|
||||||
|
<argument type="service" id="security.secure_random" />
|
||||||
|
</service>
|
||||||
|
</services>
|
||||||
|
</container>
|
@ -30,7 +30,6 @@ abstract class FrameworkExtensionTest extends TestCase
|
|||||||
$this->assertEquals('%form.type_extension.csrf.enabled%', $def->getArgument(1));
|
$this->assertEquals('%form.type_extension.csrf.enabled%', $def->getArgument(1));
|
||||||
$this->assertEquals('_csrf', $container->getParameter('form.type_extension.csrf.field_name'));
|
$this->assertEquals('_csrf', $container->getParameter('form.type_extension.csrf.field_name'));
|
||||||
$this->assertEquals('%form.type_extension.csrf.field_name%', $def->getArgument(2));
|
$this->assertEquals('%form.type_extension.csrf.field_name%', $def->getArgument(2));
|
||||||
$this->assertEquals('s3cr3t', $container->getParameterBag()->resolveValue($container->findDefinition('form.csrf_provider')->getArgument(1)));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public function testProxies()
|
public function testProxies()
|
||||||
|
@ -5,6 +5,7 @@ CHANGELOG
|
|||||||
-----
|
-----
|
||||||
|
|
||||||
* Added 'host' option to firewall configuration
|
* Added 'host' option to firewall configuration
|
||||||
|
* Moved 'security.secure_random' service configuration to FrameworkBundle
|
||||||
|
|
||||||
2.3.0
|
2.3.0
|
||||||
-----
|
-----
|
||||||
@ -79,9 +80,9 @@ CHANGELOG
|
|||||||
logout:
|
logout:
|
||||||
path: /logout_path
|
path: /logout_path
|
||||||
target: /
|
target: /
|
||||||
csrf_parameter: _csrf_token # Optional (defaults to "_csrf_token")
|
csrf_parameter: _csrf_token # Optional (defaults to "_csrf_token")
|
||||||
csrf_provider: form.csrf_provider # Required to enable protection
|
csrf_provider: security.csrf.token_generator # Required to enable protection
|
||||||
intention: logout # Optional (defaults to "logout")
|
intention: logout # Optional (defaults to "logout")
|
||||||
```
|
```
|
||||||
|
|
||||||
If the LogoutListener has CSRF protection enabled but cannot validate a token,
|
If the LogoutListener has CSRF protection enabled but cannot validate a token,
|
||||||
|
@ -151,12 +151,5 @@
|
|||||||
<argument type="service" id="security.context" />
|
<argument type="service" id="security.context" />
|
||||||
<argument type="service" id="security.encoder_factory" />
|
<argument type="service" id="security.encoder_factory" />
|
||||||
</service>
|
</service>
|
||||||
|
|
||||||
<!-- Pseudorandom Number Generator -->
|
|
||||||
<service id="security.secure_random" class="Symfony\Component\Security\Core\Util\SecureRandom">
|
|
||||||
<tag name="monolog.logger" channel="security" />
|
|
||||||
<argument>%kernel.cache_dir%/secure_random.seed</argument>
|
|
||||||
<argument type="service" id="logger" on-invalid="ignore" />
|
|
||||||
</service>
|
|
||||||
</services>
|
</services>
|
||||||
</container>
|
</container>
|
||||||
|
@ -12,8 +12,8 @@
|
|||||||
namespace Symfony\Bundle\SecurityBundle\Templating\Helper;
|
namespace Symfony\Bundle\SecurityBundle\Templating\Helper;
|
||||||
|
|
||||||
use Symfony\Component\DependencyInjection\ContainerInterface;
|
use Symfony\Component\DependencyInjection\ContainerInterface;
|
||||||
use Symfony\Component\Form\Extension\Csrf\CsrfProvider\CsrfProviderInterface;
|
|
||||||
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
|
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
|
||||||
|
use Symfony\Component\Security\Csrf\CsrfTokenGeneratorInterface;
|
||||||
use Symfony\Component\Templating\Helper\Helper;
|
use Symfony\Component\Templating\Helper\Helper;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -43,15 +43,15 @@ class LogoutUrlHelper extends Helper
|
|||||||
/**
|
/**
|
||||||
* Registers a firewall's LogoutListener, allowing its URL to be generated.
|
* Registers a firewall's LogoutListener, allowing its URL to be generated.
|
||||||
*
|
*
|
||||||
* @param string $key The firewall key
|
* @param string $key The firewall key
|
||||||
* @param string $logoutPath The path that starts the logout process
|
* @param string $logoutPath The path that starts the logout process
|
||||||
* @param string $intention The intention for CSRF token generation
|
* @param string $csrfTokenId The ID of the CSRF token
|
||||||
* @param string $csrfParameter The CSRF token parameter name
|
* @param string $csrfParameter The CSRF token parameter name
|
||||||
* @param CsrfProviderInterface $csrfProvider A CsrfProviderInterface instance
|
* @param CsrfTokenGeneratorInterface $csrfTokenGenerator A CsrfTokenGeneratorInterface instance
|
||||||
*/
|
*/
|
||||||
public function registerListener($key, $logoutPath, $intention, $csrfParameter, CsrfProviderInterface $csrfProvider = null)
|
public function registerListener($key, $logoutPath, $csrfTokenId, $csrfParameter, CsrfTokenGeneratorInterface $csrfTokenGenerator = null)
|
||||||
{
|
{
|
||||||
$this->listeners[$key] = array($logoutPath, $intention, $csrfParameter, $csrfProvider);
|
$this->listeners[$key] = array($logoutPath, $csrfTokenId, $csrfParameter, $csrfTokenGenerator);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -94,9 +94,9 @@ class LogoutUrlHelper extends Helper
|
|||||||
throw new \InvalidArgumentException(sprintf('No LogoutListener found for firewall key "%s".', $key));
|
throw new \InvalidArgumentException(sprintf('No LogoutListener found for firewall key "%s".', $key));
|
||||||
}
|
}
|
||||||
|
|
||||||
list($logoutPath, $intention, $csrfParameter, $csrfProvider) = $this->listeners[$key];
|
list($logoutPath, $csrfTokenId, $csrfParameter, $csrfTokenGenerator) = $this->listeners[$key];
|
||||||
|
|
||||||
$parameters = null !== $csrfProvider ? array($csrfParameter => $csrfProvider->generateCsrfToken($intention)) : array();
|
$parameters = null !== $csrfTokenGenerator ? array($csrfParameter => $csrfTokenGenerator->generateCsrfToken($csrfTokenId)) : array();
|
||||||
|
|
||||||
if ('/' === $logoutPath[0]) {
|
if ('/' === $logoutPath[0]) {
|
||||||
$request = $this->container->get('request');
|
$request = $this->container->get('request');
|
||||||
|
@ -37,12 +37,12 @@ security:
|
|||||||
username_parameter: "user_login[username]"
|
username_parameter: "user_login[username]"
|
||||||
password_parameter: "user_login[password]"
|
password_parameter: "user_login[password]"
|
||||||
csrf_parameter: "user_login[_token]"
|
csrf_parameter: "user_login[_token]"
|
||||||
csrf_provider: form.csrf_provider
|
csrf_provider: security.csrf.token_generator
|
||||||
anonymous: ~
|
anonymous: ~
|
||||||
logout:
|
logout:
|
||||||
path: /logout_path
|
path: /logout_path
|
||||||
target: /
|
target: /
|
||||||
csrf_provider: form.csrf_provider
|
csrf_provider: security.csrf.token_generator
|
||||||
|
|
||||||
access_control:
|
access_control:
|
||||||
- { path: .*, roles: IS_AUTHENTICATED_FULLY }
|
- { path: .*, roles: IS_AUTHENTICATED_FULLY }
|
||||||
|
@ -23,7 +23,6 @@
|
|||||||
"require-dev": {
|
"require-dev": {
|
||||||
"symfony/framework-bundle": "~2.2",
|
"symfony/framework-bundle": "~2.2",
|
||||||
"symfony/twig-bundle": "~2.2",
|
"symfony/twig-bundle": "~2.2",
|
||||||
"symfony/form": "~2.1",
|
|
||||||
"symfony/validator": "~2.2",
|
"symfony/validator": "~2.2",
|
||||||
"symfony/yaml": "~2.0",
|
"symfony/yaml": "~2.0",
|
||||||
"symfony/expression-language": "~2.4"
|
"symfony/expression-language": "~2.4"
|
||||||
|
Reference in New Issue
Block a user