feature #41247 [Security] Deprecate the old authentication mechanisms (chalasr)

This PR was merged into the 5.3-dev branch.

Discussion
----------

[Security] Deprecate the old authentication mechanisms

| Q             | A
| ------------- | ---
| Branch?       | 5.3
| Bug fix?      | no
| New feature?  | no
| Deprecations? | yes/
| Tickets       |  #39308
| License       | MIT
| Doc PR        | todo

Now that the authenticator system proven working well and is considered stable, we can deprecate the old authentication listeners as well as the Guard component (+ integrations).

Commits
-------

0bb3964a2d [Security] Deprecate the old authentication mechanisms

UPGRADE-5.3.md

@@ -205,6 +205,15 @@ Security
  * Deprecate all classes in the `Core\Encoder\`  sub-namespace, use the `PasswordHasher` component instead
  * Deprecated voters that do not return a valid decision when calling the `vote` method
  * [BC break] Add optional array argument `$badges` to `UserAuthenticatorInterface::authenticateUser()`
+ * Deprecate `AuthenticationManagerInterface`, `AuthenticationProviderManager`, `AnonymousAuthenticationProvider`,
+   `AuthenticationProviderInterface`, `DaoAuthenticationProvider`, `LdapBindAuthenticationProvider`,
+   `PreAuthenticatedAuthenticationProvider`, `RememberMeAuthenticationProvider`, `UserAuthenticationProvider` and
+   `AuthenticationFailureEvent` from security-core, use the new authenticator system instead
+ * Deprecate `AbstractAuthenticationListener`, `AbstractPreAuthenticatedListener`, `AnonymousAuthenticationListener`,
+   `BasicAuthenticationListener`, `RememberMeListener`, `RemoteUserAuthenticationListener`,
+   `UsernamePasswordFormAuthenticationListener`, `UsernamePasswordJsonAuthenticationListener` and `X509AuthenticationListener`
+   from security-http, use the new authenticator system instead
+ * Deprecate the Guard component, use the new authenticator system instead
 
 SecurityBundle
 --------------
@@ -218,6 +227,10 @@ SecurityBundle
  * Deprecate the `security.user_password_encoder.generic` service, the `security.password_encoder` and the `Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface` aliases,
    use `security.user_password_hasher`, `security.password_hasher` and `Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface` instead
  * Deprecate the public `security.authorization_checker` and `security.token_storage` services to private
+ * Not setting the `enable_authenticator_manager` config option to `true` is deprecated
+ * Deprecate the `security.authentication.provider.*` services, use the new authenticator system instead
+ * Deprecate the `security.authentication.listener.*` services, use the new authenticator system instead
+ * Deprecate the Guard component integration, use the new authenticator system instead
 
 Serializer
 ----------

UPGRADE-6.0.md

@@ -293,6 +293,15 @@ Security
    `DefaultAuthenticationSuccessHandler`.
  * Removed the `AbstractRememberMeServices::$providerKey` property in favor of `AbstractRememberMeServices::$firewallName`
  * `AccessDecisionManager` now throw an exception when a voter does not return a valid decision.
+ * Remove `AuthenticationManagerInterface`, `AuthenticationProviderManager`, `AnonymousAuthenticationProvider`,
+   `AuthenticationProviderInterface`, `DaoAuthenticationProvider`, `LdapBindAuthenticationProvider`,
+   `PreAuthenticatedAuthenticationProvider`, `RememberMeAuthenticationProvider`, `UserAuthenticationProvider` and
+   `AuthenticationFailureEvent` from security-core, use the new authenticator system instead
+ * Remove `AbstractAuthenticationListener`, `AbstractPreAuthenticatedListener`, `AnonymousAuthenticationListener`,
+   `BasicAuthenticationListener`, `RememberMeListener`, `RemoteUserAuthenticationListener`,
+   `UsernamePasswordFormAuthenticationListener`, `UsernamePasswordJsonAuthenticationListener` and `X509AuthenticationListener`
+   from security-http, use the new authenticator system instead
+ * Remove the Guard component, use the new authenticator system instead
 
 SecurityBundle
 --------------
@@ -304,6 +313,10 @@ SecurityBundle
  * Remove the `security.user_password_encoder.generic` service, the `security.password_encoder` and the `Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface` aliases,
    use `security.user_password_hasher`, `security.password_hasher` and `Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface` instead
  * The `security.authorization_checker` and `security.token_storage` services are now private
+ * Not setting the `enable_authenticator_manager` option to `true` now throws an exception
+ * Remove the `security.authentication.provider.*` services, use the new authenticator system instead
+ * Remove the `security.authentication.listener.*` services, use the new authenticator system instead
+ * Remove the Guard component integration, use the new authenticator system instead
 
 Serializer
 ----------

src/Symfony/Bundle/FrameworkBundle/Tests/Functional/app/Security/config.yml

@@ -8,6 +8,8 @@ services:
             - container.service_subscriber
 
 security:
+    enable_authenticator_manager: true
+
     providers:
         main:
             memory:
@@ -30,3 +32,6 @@ security:
             form_login:
                 check_path: /custom/login/check
             provider: custom
+
+    access_control:
+        - { path: '^/main/user_profile$', roles: IS_AUTHENTICATED_FULLY }

src/Symfony/Bundle/SecurityBundle/CHANGELOG.md

@@ -17,6 +17,10 @@ CHANGELOG
  * Deprecate the `security.user_password_encoder.generic` service, the `security.password_encoder` and the `Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface` aliases,
    use `security.user_password_hasher`, `security.password_hasher` and `Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface` instead
  * Deprecate the public `security.authorization_checker` and `security.token_storage` services to private
+ * Not setting the `enable_authenticator_manager` config option to `true` is deprecated
+ * Deprecate the `security.authentication.provider.*` services, use the new authenticator system instead
+ * Deprecate the `security.authentication.listener.*` services, use the new authenticator system instead
+ * Deprecate the Guard component integration, use the new authenticator system instead
 
 5.2.0
 -----

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/AnonymousFactory.php

@@ -21,6 +21,8 @@ use Symfony\Component\DependencyInjection\Parameter;
  * @author Wouter de Jong <wouter@wouterj.nl>
  *
  * @internal
+ *
+ * @deprecated since Symfony 5.3, use the new authenticator system instead
  */
 class AnonymousFactory implements SecurityFactoryInterface, AuthenticatorFactoryInterface
 {

src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php

@@ -130,6 +130,8 @@ class SecurityExtension extends Extension implements PrependExtensionInterface
             $container->getDefinition('security.authorization_checker')->setArgument(4, false);
             $container->getDefinition('security.authorization_checker')->setArgument(5, false);
         } else {
+            trigger_deprecation('symfony/security-bundle', '5.3', 'Not setting the "security.enable_authenticator_manager" config option to true is deprecated.');
+
             $loader->load('security_legacy.php');
         }
 

src/Symfony/Bundle/SecurityBundle/Resources/config/guard.php

@@ -24,8 +24,10 @@ return static function (ContainerConfigurator $container) {
                 abstract_arg('stateless firewall keys'),
             ])
             ->call('setSessionAuthenticationStrategy', [service('security.authentication.session_strategy')])
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
 
         ->alias(GuardAuthenticatorHandler::class, 'security.authentication.guard_handler')
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%alias_id%" alias is deprecated, use the new authenticator system instead.')
 
         ->set('security.authentication.provider.guard', GuardAuthenticationProvider::class)
             ->abstract()
@@ -36,6 +38,7 @@ return static function (ContainerConfigurator $container) {
                 abstract_arg('User Checker'),
                 service('security.password_hasher'),
             ])
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
 
         ->set('security.authentication.listener.guard', GuardAuthenticationListener::class)
             ->abstract()
@@ -48,5 +51,6 @@ return static function (ContainerConfigurator $container) {
                 param('security.authentication.hide_user_not_found'),
             ])
             ->tag('monolog.logger', ['channel' => 'security'])
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
     ;
 };

src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator.php

@@ -62,6 +62,7 @@ return static function (ContainerConfigurator $container) {
 
         ->set('security.authentication.manager', NoopAuthenticationManager::class)
         ->alias(AuthenticationManagerInterface::class, 'security.authentication.manager')
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%alias_id%" alias is deprecated, use the new authenticator system instead.')
 
         ->set('security.firewall.authenticator', AuthenticatorManagerListener::class)
             ->abstract()

src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_login_link.php

@@ -73,6 +73,6 @@ return static function (ContainerConfigurator $container) {
                 service('doctrine'),
                 abstract_arg('user entity class name'),
             ])
-
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
     ;
 };

src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.php

@@ -49,9 +49,11 @@ return static function (ContainerConfigurator $container) {
                 service('security.authentication.manager'),
             ])
             ->tag('monolog.logger', ['channel' => 'security'])
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
 
         ->set('security.authentication.provider.anonymous', AnonymousAuthenticationProvider::class)
             ->args([abstract_arg('Key')])
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
 
         ->set('security.authentication.retry_entry_point', RetryAuthenticationEntryPoint::class)
             ->args([
@@ -161,6 +163,7 @@ return static function (ContainerConfigurator $container) {
         ->set('security.authentication.listener.form', UsernamePasswordFormAuthenticationListener::class)
             ->parent('security.authentication.listener.abstract')
             ->abstract()
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
 
         ->set('security.authentication.listener.x509', X509AuthenticationListener::class)
             ->abstract()
@@ -174,6 +177,7 @@ return static function (ContainerConfigurator $container) {
                 service('event_dispatcher')->nullOnInvalid(),
             ])
             ->tag('monolog.logger', ['channel' => 'security'])
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
 
         ->set('security.authentication.listener.json', UsernamePasswordJsonAuthenticationListener::class)
             ->abstract()
@@ -191,6 +195,7 @@ return static function (ContainerConfigurator $container) {
             ])
             ->call('setTranslator', [service('translator')->ignoreOnInvalid()])
             ->tag('monolog.logger', ['channel' => 'security'])
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
 
         ->set('security.authentication.listener.remote_user', RemoteUserAuthenticationListener::class)
             ->abstract()
@@ -203,6 +208,7 @@ return static function (ContainerConfigurator $container) {
                 service('event_dispatcher')->nullOnInvalid(),
             ])
             ->tag('monolog.logger', ['channel' => 'security'])
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
 
         ->set('security.authentication.listener.basic', BasicAuthenticationListener::class)
             ->abstract()
@@ -214,6 +220,7 @@ return static function (ContainerConfigurator $container) {
                 service('logger')->nullOnInvalid(),
             ])
             ->tag('monolog.logger', ['channel' => 'security'])
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
 
         ->set('security.authentication.provider.dao', DaoAuthenticationProvider::class)
             ->abstract()
@@ -224,6 +231,7 @@ return static function (ContainerConfigurator $container) {
                 service('security.password_hasher_factory'),
                 param('security.authentication.hide_user_not_found'),
             ])
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
 
         ->set('security.authentication.provider.ldap_bind', LdapBindAuthenticationProvider::class)
             ->abstract()
@@ -237,6 +245,7 @@ return static function (ContainerConfigurator $container) {
                 abstract_arg('search dn'),
                 abstract_arg('search password'),
             ])
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
 
         ->set('security.authentication.provider.pre_authenticated', PreAuthenticatedAuthenticationProvider::class)
             ->abstract()
@@ -244,6 +253,7 @@ return static function (ContainerConfigurator $container) {
                 abstract_arg('User Provider'),
                 abstract_arg('UserChecker'),
             ])
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
 
         ->set('security.exception_listener', ExceptionListener::class)
             ->abstract()

src/Symfony/Bundle/SecurityBundle/Resources/config/security_rememberme.php

@@ -32,10 +32,12 @@ return static function (ContainerConfigurator $container) {
                 service('security.authentication.session_strategy'),
             ])
             ->tag('monolog.logger', ['channel' => 'security'])
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
 
         ->set('security.authentication.provider.rememberme', RememberMeAuthenticationProvider::class)
             ->abstract()
             ->args([abstract_arg('User Checker')])
+            ->deprecate('symfony/security-bundle', '5.3', 'The "%service_id%" service is deprecated, use the new authenticator system instead.')
 
         ->set('security.rememberme.token.provider.in_memory', InMemoryTokenProvider::class)
 

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Compiler/AddSessionDomainConstraintPassTest.php

@@ -139,6 +139,7 @@ class AddSessionDomainConstraintPassTest extends TestCase
 
         $config = [
             'security' => [
+                'enable_authenticator_manager' => true,
                 'providers' => ['some_provider' => ['id' => 'foo']],
                 'firewalls' => ['some_firewall' => ['security' => false]],
             ],

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php

@@ -127,6 +127,127 @@ abstract class CompleteConfigurationTest extends TestCase
         $configs[0][2] = strtolower($configs[0][2]);
         $configs[2][2] = strtolower($configs[2][2]);
 
+        $this->assertEquals([
+            [
+                'simple',
+                'security.user_checker',
+                '.security.request_matcher.xmi9dcw',
+                false,
+                false,
+                '',
+                '',
+                '',
+                '',
+                '',
+                [],
+                null,
+            ],
+            [
+                'secure',
+                'security.user_checker',
+                null,
+                true,
+                true,
+                'security.user.provider.concrete.default',
+                null,
+                'security.authenticator.form_login.secure',
+                null,
+                null,
+                [
+                    'switch_user',
+                    'x509',
+                    'remote_user',
+                    'form_login',
+                    'http_basic',
+                    'remember_me',
+                ],
+                [
+                    'parameter' => '_switch_user',
+                    'role' => 'ROLE_ALLOWED_TO_SWITCH',
+                ],
+            ],
+            [
+                'host',
+                'security.user_checker',
+                '.security.request_matcher.iw4hyjb',
+                true,
+                false,
+                'security.user.provider.concrete.default',
+                'host',
+                'security.authenticator.http_basic.host',
+                null,
+                null,
+                [
+                    'http_basic',
+                ],
+                null,
+            ],
+            [
+                'with_user_checker',
+                'app.user_checker',
+                null,
+                true,
+                false,
+                'security.user.provider.concrete.default',
+                'with_user_checker',
+                'security.authenticator.http_basic.with_user_checker',
+                null,
+                null,
+                [
+                    'http_basic',
+                ],
+                null,
+            ],
+        ], $configs);
+
+        $this->assertEquals([
+            [],
+            [
+                'security.channel_listener',
+                'security.firewall.authenticator.secure',
+                'security.authentication.switchuser_listener.secure',
+                'security.access_listener',
+            ],
+            [
+                'security.channel_listener',
+                'security.context_listener.0',
+                'security.firewall.authenticator.host',
+                'security.access_listener',
+            ],
+            [
+                'security.channel_listener',
+                'security.context_listener.1',
+                'security.firewall.authenticator.with_user_checker',
+                'security.access_listener',
+            ],
+        ], $listeners);
+
+        $this->assertFalse($container->hasAlias('Symfony\Component\Security\Core\User\UserCheckerInterface', 'No user checker alias is registered when custom user checker services are registered'));
+    }
+
+    /**
+     * @group legacy
+     */
+    public function testLegacyFirewalls()
+    {
+        $container = $this->getContainer('legacy_container1');
+        $arguments = $container->getDefinition('security.firewall.map')->getArguments();
+        $listeners = [];
+        $configs = [];
+        foreach (array_keys($arguments[1]->getValues()) as $contextId) {
+            $contextDef = $container->getDefinition($contextId);
+            $arguments = $contextDef->getArguments();
+            $listeners[] = array_map('strval', $arguments[0]->getValues());
+
+            $configDef = $container->getDefinition((string) $arguments[3]);
+            $configs[] = array_values($configDef->getArguments());
+        }
+
+        // the IDs of the services are case sensitive or insensitive depending on
+        // the Symfony version. Transform them to lowercase to simplify tests.
+        $configs[0][2] = strtolower($configs[0][2]);
+        $configs[2][2] = strtolower($configs[2][2]);
+
         $this->assertEquals([
             [
                 'simple',
@@ -881,15 +1002,21 @@ abstract class CompleteConfigurationTest extends TestCase
         ]], $container->getDefinition('security.password_hasher_factory')->getArguments());
     }
 
-    public function testRememberMeThrowExceptionsDefault()
+    /**
+     * @group legacy
+     */
+    public function testLegacyRememberMeThrowExceptionsDefault()
     {
-        $container = $this->getContainer('container1');
+        $container = $this->getContainer('legacy_container1');
         $this->assertTrue($container->getDefinition('security.authentication.listener.rememberme.secure')->getArgument(5));
     }
 
-    public function testRememberMeThrowExceptions()
+    /**
+     * @group legacy
+     */
+    public function testLegacyRememberMeThrowExceptions()
     {
-        $container = $this->getContainer('remember_me_options');
+        $container = $this->getContainer('legacy_remember_me_options');
         $service = $container->getDefinition('security.authentication.listener.rememberme.main');
         $this->assertEquals('security.authentication.rememberme.services.persistent.main', $service->getArgument(1));
         $this->assertFalse($service->getArgument(5));

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/access_decision_manager_customized_config.php

@@ -1,6 +1,7 @@
 <?php
 
 $container->loadFromExtension('security', [
+    'enable_authenticator_manager' => true,
     'access_decision_manager' => [
         'allow_if_all_abstain' => true,
         'allow_if_equal_granted_denied' => false,

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/access_decision_manager_default_strategy.php

@@ -1,6 +1,7 @@
 <?php
 
 $container->loadFromExtension('security', [
+    'enable_authenticator_manager' => true,
     'providers' => [
         'default' => [
             'memory' => [

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/access_decision_manager_service.php

@@ -1,6 +1,7 @@
 <?php
 
 $container->loadFromExtension('security', [
+    'enable_authenticator_manager' => true,
     'access_decision_manager' => [
         'service' => 'app.access_decision_manager',
     ],

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/access_decision_manager_service_and_strategy.php

@@ -1,6 +1,7 @@
 <?php
 
 $container->loadFromExtension('security', [
+    'enable_authenticator_manager' => true,
     'access_decision_manager' => [
         'service' => 'app.access_decision_manager',
         'strategy' => 'affirmative',

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/argon2i_hasher.php

@@ -3,6 +3,7 @@
 $this->load('container1.php');
 
 $container->loadFromExtension('security', [
+    'enable_authenticator_manager' => true,
     'password_hashers' => [
         'JMS\FooBundle\Entity\User7' => [
             'algorithm' => 'argon2i',

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/bcrypt_hasher.php

@@ -3,6 +3,7 @@
 $this->load('container1.php');
 
 $container->loadFromExtension('security', [
+    'enable_authenticator_manager' => true,
     'password_hashers' => [
         'JMS\FooBundle\Entity\User7' => [
             'algorithm' => 'bcrypt',

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1.php

@@ -1,6 +1,7 @@
 <?php
 
 $container->loadFromExtension('security', [
+    'enable_authenticator_manager' => true,
     'password_hashers' => [
         'JMS\FooBundle\Entity\User1' => 'plaintext',
         'JMS\FooBundle\Entity\User2' => [
@@ -70,26 +71,24 @@ $container->loadFromExtension('security', [
             'provider' => 'default',
             'http_basic' => true,
             'form_login' => true,
-            'anonymous' => true,
             'switch_user' => true,
             'x509' => true,
             'remote_user' => true,
             'logout' => true,
             'remember_me' => ['secret' => 'TheSecret'],
             'user_checker' => null,
+            'entry_point' => 'form_login'
         ],
         'host' => [
             'provider' => 'default',
             'pattern' => '/test',
             'host' => 'foo\\.example\\.org',
             'methods' => ['GET', 'POST'],
-            'anonymous' => true,
             'http_basic' => true,
         ],
         'with_user_checker' => [
             'provider' => 'default',
             'user_checker' => 'app.user_checker',
-            'anonymous' => true,
             'http_basic' => true,
         ],
     ],

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/firewall_provider.php

@@ -1,6 +1,7 @@
 <?php
 
 $container->loadFromExtension('security', [
+    'enable_authenticator_manager' => true,
     'providers' => [
         'default' => [
             'memory' => $memory = [

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/firewall_undefined_provider.php

@@ -1,6 +1,7 @@
 <?php
 
 $container->loadFromExtension('security', [
+    'enable_authenticator_manager' => true,
     'providers' => [
         'default' => [
             'memory' => [

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/legacy_container1.php

@@ -0,0 +1,108 @@
+<?php
+
+$container->loadFromExtension('security', [
+    'password_hashers' => [
+        'JMS\FooBundle\Entity\User1' => 'plaintext',
+        'JMS\FooBundle\Entity\User2' => [
+            'algorithm' => 'sha1',
+            'encode_as_base64' => false,
+            'iterations' => 5,
+        ],
+        'JMS\FooBundle\Entity\User3' => [
+            'algorithm' => 'md5',
+        ],
+        'JMS\FooBundle\Entity\User4' => [
+            'id' => 'security.hasher.foo',
+        ],
+        'JMS\FooBundle\Entity\User5' => [
+            'algorithm' => 'pbkdf2',
+            'hash_algorithm' => 'sha1',
+            'encode_as_base64' => false,
+            'iterations' => 5,
+            'key_length' => 30,
+        ],
+        'JMS\FooBundle\Entity\User6' => [
+            'algorithm' => 'native',
+            'time_cost' => 8,
+            'memory_cost' => 100,
+            'cost' => 15,
+        ],
+        'JMS\FooBundle\Entity\User7' => [
+            'algorithm' => 'auto',
+        ],
+    ],
+    'providers' => [
+        'default' => [
+            'memory' => [
+                'users' => [
+                    'foo' => ['password' => 'foo', 'roles' => 'ROLE_USER'],
+                ],
+            ],
+        ],
+        'digest' => [
+            'memory' => [
+                'users' => [
+                    'foo' => ['password' => 'foo', 'roles' => 'ROLE_USER, ROLE_ADMIN'],
+                ],
+            ],
+        ],
+        'basic' => [
+            'memory' => [
+                'users' => [
+                    'foo' => ['password' => '0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33', 'roles' => 'ROLE_SUPER_ADMIN'],
+                    'bar' => ['password' => '0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33', 'roles' => ['ROLE_USER', 'ROLE_ADMIN']],
+                ],
+            ],
+        ],
+        'service' => [
+            'id' => 'user.manager',
+        ],
+        'chain' => [
+            'chain' => [
+                'providers' => ['service', 'basic'],
+            ],
+        ],
+    ],
+
+    'firewalls' => [
+        'simple' => ['provider' => 'default', 'pattern' => '/login', 'security' => false],
+        'secure' => ['stateless' => true,
+            'provider' => 'default',
+            'http_basic' => true,
+            'form_login' => true,
+            'anonymous' => true,
+            'switch_user' => true,
+            'x509' => true,
+            'remote_user' => true,
+            'logout' => true,
+            'remember_me' => ['secret' => 'TheSecret'],
+            'user_checker' => null,
+        ],
+        'host' => [
+            'provider' => 'default',
+            'pattern' => '/test',
+            'host' => 'foo\\.example\\.org',
+            'methods' => ['GET', 'POST'],
+            'anonymous' => true,
+            'http_basic' => true,
+        ],
+        'with_user_checker' => [
+            'provider' => 'default',
+            'user_checker' => 'app.user_checker',
+            'anonymous' => true,
+            'http_basic' => true,
+        ],
+    ],
+
+    'access_control' => [
+        ['path' => '/blog/524', 'role' => 'ROLE_USER', 'requires_channel' => 'https', 'methods' => ['get', 'POST'], 'port' => 8000],
+        ['path' => '/blog/.*', 'role' => 'IS_AUTHENTICATED_ANONYMOUSLY'],
+        ['path' => '/blog/524', 'role' => 'IS_AUTHENTICATED_ANONYMOUSLY', 'allow_if' => "token.getUserIdentifier() matches '/^admin/'"],
+    ],
+
+    'role_hierarchy' => [
+        'ROLE_ADMIN' => 'ROLE_USER',
+        'ROLE_SUPER_ADMIN' => ['ROLE_USER', 'ROLE_ADMIN', 'ROLE_ALLOWED_TO_SWITCH'],
+        'ROLE_REMOTE' => 'ROLE_USER,ROLE_ADMIN',
+    ],
+]);

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/legacy_remember_me_options.php

@@ -0,0 +1,18 @@
+<?php
+
+$container->loadFromExtension('security', [
+    'providers' => [
+        'default' => ['id' => 'foo'],
+    ],
+
+    'firewalls' => [
+        'main' => [
+            'form_login' => true,
+            'remember_me' => [
+                'secret' => 'TheSecret',
+                'catch_exceptions' => false,
+                'token_provider' => 'token_provider_id',
+            ],
+        ],
+    ],
+]);

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/listener_provider.php

@@ -1,6 +1,7 @@
 <?php
 
 $container->loadFromExtension('security', [
+    'enable_authenticator_manager' => true,
     'providers' => [
         'default' => [
             'memory' => [

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/listener_undefined_provider.php

@@ -1,6 +1,7 @@
 <?php
 
 $container->loadFromExtension('security', [
+    'enable_authenticator_manager' => true,
     'providers' => [
         'default' => [
             'memory' => [

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/logout_delete_cookies.php

@@ -1,6 +1,7 @@
 <?php
 
 $container->loadFromExtension('security', [
+    'enable_authenticator_manager' => true,
     'providers' => [
         'default' => ['id' => 'foo'],
     ],

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/merge.php

@@ -3,6 +3,7 @@
 $this->load('merge_import.php');
 
 $container->loadFromExtension('security', [
+    'enable_authenticator_manager' => true,
     'providers' => [
         'default' => ['id' => 'foo'],
     ],

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/merge_import.php

@@ -1,6 +1,7 @@
 <?php
 
 $container->loadFromExtension('security', [
+    'enable_authenticator_manager' => true,
     'firewalls' => [
         'main' => [
             'form_login' => [

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/migrating_hasher.php

@@ -3,6 +3,7 @@
 $this->load('container1.php');
 
 $container->loadFromExtension('security', [
+    'enable_authenticator_manager' => true,
     'password_hashers' => [
         'JMS\FooBundle\Entity\User7' => [
             'algorithm' => 'argon2i',

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/no_custom_user_checker.php

@@ -1,6 +1,7 @@
 <?php
 
 $container->loadFromExtension('security', [
+    'enable_authenticator_manager' => true,
     'providers' => [
         'default' => [
             'memory' => [
@@ -16,13 +17,13 @@ $container->loadFromExtension('security', [
             'stateless' => true,
             'http_basic' => true,
             'form_login' => true,
-            'anonymous' => true,
             'switch_user' => true,
             'x509' => true,
             'remote_user' => true,
             'logout' => true,
             'remember_me' => ['secret' => 'TheSecret'],
             'user_checker' => null,
+            'entry_point' => 'form_login'
         ],
     ],
 ]);

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/remember_me_options.php

@@ -1,6 +1,7 @@
 <?php
 
 $container->loadFromExtension('security', [
+    'enable_authenticator_manager' => true,
     'providers' => [
         'default' => ['id' => 'foo'],
     ],

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/sodium_hasher.php

@@ -3,6 +3,7 @@
 $this->load('container1.php');
 
 $container->loadFromExtension('security', [
+    'enable_authenticator_manager' => true,
     'password_hashers' => [
         'JMS\FooBundle\Entity\User7' => [
             'algorithm' => 'sodium',

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/access_decision_manager_customized_config.xml

@@ -7,7 +7,7 @@
         http://symfony.com/schema/dic/security
         https://symfony.com/schema/dic/security/security-1.0.xsd">
 
-    <config>
+    <config enable-authenticator-manager="true">
         <access-decision-manager allow-if-all-abstain="true" allow-if-equal-granted-denied="false" />
 
         <provider name="default">

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/access_decision_manager_default_strategy.xml

@@ -7,7 +7,7 @@
         http://symfony.com/schema/dic/security
         https://symfony.com/schema/dic/security/security-1.0.xsd">
 
-    <config>
+    <config enable-authenticator-manager="true">
         <provider name="default">
             <memory>
                 <user identifier="foo" password="foo" roles="ROLE_USER" />

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/access_decision_manager_service.xml

@@ -7,7 +7,7 @@
         http://symfony.com/schema/dic/security
         https://symfony.com/schema/dic/security/security-1.0.xsd">
 
-    <config>
+    <config enable-authenticator-manager="true">
         <access-decision-manager service="app.access_decision_manager" />
 
         <provider name="default">

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/access_decision_manager_service_and_strategy.xml

@@ -7,7 +7,7 @@
         http://symfony.com/schema/dic/security
         https://symfony.com/schema/dic/security/security-1.0.xsd">
 
-    <config>
+    <config enable-authenticator-manager="true">
         <access-decision-manager service="app.access_decision_manager" strategy="affirmative" />
 
         <provider name="default">

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/argon2i_hasher.xml

@@ -12,7 +12,7 @@
         <import resource="container1.xml"/>
     </imports>
 
-    <sec:config>
+    <sec:config enable-authenticator-manager="true">
         <sec:password_hasher class="JMS\FooBundle\Entity\User7" algorithm="argon2i" memory-cost="256" time-cost="1" />
     </sec:config>
 

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/bcrypt_hasher.xml

@@ -12,7 +12,7 @@
         <import resource="container1.xml"/>
     </imports>
 
-    <sec:config>
+    <sec:config enable-authenticator-manager="true">
         <sec:password_hasher class="JMS\FooBundle\Entity\User7" algorithm="bcrypt" cost="15" />
     </sec:config>
 

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/container1.xml

@@ -8,7 +8,7 @@
         http://symfony.com/schema/dic/security
         https://symfony.com/schema/dic/security/security-1.0.xsd">
 
-    <config>
+    <config enable-authenticator-manager="true">
         <password_hasher class="JMS\FooBundle\Entity\User1" algorithm="plaintext" />
 
         <password_hasher class="JMS\FooBundle\Entity\User2" algorithm="sha1" encode-as-base64="false" iterations="5" />
@@ -50,10 +50,9 @@
 
         <firewall name="simple" pattern="/login" security="false" provider="default" />
 
-        <firewall name="secure" stateless="true" provider="default">
+        <firewall name="secure" stateless="true" provider="default" entry-point="form_login">
             <http-basic />
             <form-login />
-            <anonymous />
             <switch-user />
             <x509 />
             <remote-user />
@@ -62,12 +61,10 @@
         </firewall>
 
         <firewall name="host" pattern="/test" host="foo\.example\.org" methods="GET,POST" provider="default">
-            <anonymous />
             <http-basic />
         </firewall>
 
         <firewall name="with_user_checker" provider="default">
-            <anonymous />
             <http-basic />
             <user-checker>app.user_checker</user-checker>
         </firewall>

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/firewall_provider.xml

@@ -8,7 +8,7 @@
         http://symfony.com/schema/dic/security
         https://symfony.com/schema/dic/security/security-1.0.xsd">
 
-    <sec:config>
+    <sec:config enable-authenticator-manager="true">
         <sec:providers>
             <sec:provider name="with-dash" id="foo" />
         </sec:providers>

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/firewall_undefined_provider.xml

@@ -8,7 +8,7 @@
         http://symfony.com/schema/dic/security
         https://symfony.com/schema/dic/security/security-1.0.xsd">
 
-    <sec:config>
+    <sec:config enable-authenticator-manager="true">
         <sec:providers>
             <sec:provider name="default" id="foo" />
         </sec:providers>

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/legacy_container1.xml

@@ -0,0 +1,83 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<srv:container xmlns="http://symfony.com/schema/dic/security"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:srv="http://symfony.com/schema/dic/services"
+    xsi:schemaLocation="http://symfony.com/schema/dic/services
+        https://symfony.com/schema/dic/services/services-1.0.xsd
+        http://symfony.com/schema/dic/security
+        https://symfony.com/schema/dic/security/security-1.0.xsd">
+
+    <config>
+        <password_hasher class="JMS\FooBundle\Entity\User1" algorithm="plaintext" />
+
+        <password_hasher class="JMS\FooBundle\Entity\User2" algorithm="sha1" encode-as-base64="false" iterations="5" />
+
+        <password_hasher class="JMS\FooBundle\Entity\User3" algorithm="md5" />
+
+        <password_hasher class="JMS\FooBundle\Entity\User4" id="security.hasher.foo" />
+
+        <password_hasher class="JMS\FooBundle\Entity\User5" algorithm="pbkdf2" hash-algorithm="sha1" encode-as-base64="false" iterations="5" key-length="30" />
+
+        <password_hasher class="JMS\FooBundle\Entity\User6" algorithm="native" time-cost="8" memory-cost="100" cost="15" />
+
+        <password_hasher class="JMS\FooBundle\Entity\User7" algorithm="auto" />
+
+        <provider name="default">
+            <memory>
+                <user identifier="foo" password="foo" roles="ROLE_USER" />
+            </memory>
+        </provider>
+
+        <provider name="digest">
+            <memory>
+                <user identifier="foo" password="foo" roles="ROLE_USER, ROLE_ADMIN" />
+            </memory>
+        </provider>
+
+        <provider name="basic">
+            <memory>
+                <user identifier="foo" password="0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33" roles="ROLE_SUPER_ADMIN" />
+                <user identifier="bar" password="0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33" roles="ROLE_USER, ROLE_ADMIN" />
+            </memory>
+        </provider>
+
+        <provider name="service" id="user.manager" />
+
+        <provider name="chain">
+            <chain providers="service, basic" />
+        </provider>
+
+        <firewall name="simple" pattern="/login" security="false" provider="default" />
+
+        <firewall name="secure" stateless="true" provider="default">
+            <http-basic />
+            <form-login />
+            <anonymous />
+            <switch-user />
+            <x509 />
+            <remote-user />
+            <logout />
+            <remember-me secret="TheSecret"/>
+        </firewall>
+
+        <firewall name="host" pattern="/test" host="foo\.example\.org" methods="GET,POST" provider="default">
+            <anonymous />
+            <http-basic />
+        </firewall>
+
+        <firewall name="with_user_checker" provider="default">
+            <anonymous />
+            <http-basic />
+            <user-checker>app.user_checker</user-checker>
+        </firewall>
+
+        <role id="ROLE_ADMIN">ROLE_USER</role>
+        <role id="ROLE_SUPER_ADMIN">ROLE_USER,ROLE_ADMIN,ROLE_ALLOWED_TO_SWITCH</role>
+        <role id="ROLE_REMOTE">ROLE_USER,ROLE_ADMIN</role>
+
+        <rule path="/blog/524" role="ROLE_USER" requires-channel="https" methods="get,POST" port="8000" />
+        <rule role='IS_AUTHENTICATED_ANONYMOUSLY' path="/blog/.*" />
+        <rule role='IS_AUTHENTICATED_ANONYMOUSLY' allow-if="token.getUserIdentifier() matches '/^admin/'" path="/blog/524" />
+    </config>
+</srv:container>

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/legacy_remember_me_options.xml

@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<container xmlns="http://symfony.com/schema/dic/services"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:sec="http://symfony.com/schema/dic/security"
+    xsi:schemaLocation="http://symfony.com/schema/dic/services
+    https://symfony.com/schema/dic/services/services-1.0.xsd
+    http://symfony.com/schema/dic/security
+    https://symfony.com/schema/dic/security/security-1.0.xsd">
+
+    <sec:config>
+        <sec:providers>
+            <sec:provider name="default" id="foo"/>
+        </sec:providers>
+        <sec:firewall name="main">
+            <sec:form-login/>
+            <sec:remember-me secret="TheSecret" catch-exceptions="false" token-provider="token_provider_id" />
+        </sec:firewall>
+    </sec:config>
+
+</container>

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/listener_provider.xml

@@ -8,7 +8,7 @@
         http://symfony.com/schema/dic/security
         https://symfony.com/schema/dic/security/security-1.0.xsd">
 
-    <sec:config>
+    <sec:config enable-authenticator-manager="true">
         <sec:providers>
             <sec:provider name="default" id="foo" />
         </sec:providers>

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/listener_undefined_provider.xml

@@ -8,7 +8,7 @@
         http://symfony.com/schema/dic/security
         https://symfony.com/schema/dic/security/security-1.0.xsd">
 
-    <sec:config>
+    <sec:config enable-authenticator-manager="true">
         <sec:providers>
             <sec:provider name="default" id="foo" />
         </sec:providers>

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/logout_delete_cookies.xml

@@ -8,7 +8,7 @@
         http://symfony.com/schema/dic/security
         https://symfony.com/schema/dic/security/security-1.0.xsd">
 
-    <config>
+    <sec:config enable-authenticator-manager="true">
         <provider name="default" id="foo" />
 
         <firewall name="main" provider="default">

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/merge.xml

@@ -12,7 +12,7 @@
         <import resource="merge_import.xml"/>
     </imports>
 
-    <sec:config>
+    <sec:config enable-authenticator-manager="true">
         <sec:provider name="default" id="foo" />
 
         <sec:firewall name="main" form-login="false">

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/merge_import.xml

@@ -8,7 +8,7 @@
         http://symfony.com/schema/dic/security
         https://symfony.com/schema/dic/security/security-1.0.xsd">
 
-    <config>
+    <config enable-authenticator-manager="true">
         <firewall name="main">
             <form-login login-path="/login" />
         </firewall>

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/migrating_hasher.xml

@@ -12,7 +12,7 @@
         <import resource="container1.xml"/>
     </imports>
 
-    <sec:config>
+    <sec:config enable-authenticator-manager="true">
         <sec:password_hasher class="JMS\FooBundle\Entity\User7" algorithm="argon2i" memory-cost="256" time-cost="1">
             <sec:migrate-from>bcrypt</sec:migrate-from>
         </sec:password_hasher>

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/no_custom_user_checker.xml

@@ -7,7 +7,7 @@
         http://symfony.com/schema/dic/security
         https://symfony.com/schema/dic/security/security-1.0.xsd">
 
-    <config>
+    <config enable-authenticator-manager="true">
         <provider name="default">
             <memory>
                 <user identifier="foo" password="foo" roles="ROLE_USER" />
@@ -16,10 +16,9 @@
 
         <firewall name="simple" pattern="/login" security="false" />
 
-        <firewall name="secure" stateless="true">
+        <firewall name="secure" stateless="true" entry-point="form-login">
             <http-basic />
             <form-login />
-            <anonymous />
             <switch-user />
             <x509 />
             <remote-user />

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/remember_me_options.xml

@@ -8,7 +8,7 @@
     http://symfony.com/schema/dic/security
     https://symfony.com/schema/dic/security/security-1.0.xsd">
 
-    <sec:config>
+    <sec:config enable-authenticator-manager="true">
         <sec:providers>
             <sec:provider name="default" id="foo"/>
         </sec:providers>

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/sodium_hasher.xml

@@ -12,7 +12,7 @@
         <import resource="container1.xml"/>
     </imports>
 
-    <sec:config>
+    <sec:config enable-authenticator-manager="true">
         <sec:password_hasher class="JMS\FooBundle\Entity\User7" algorithm="sodium" time-cost="8" memory-cost="131072" />
     </sec:config>
 

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/access_decision_manager_customized_config.yml

@@ -1,4 +1,5 @@
 security:
+    enable_authenticator_manager: true
     access_decision_manager:
         allow_if_all_abstain: true
         allow_if_equal_granted_denied: false

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/access_decision_manager_default_strategy.yml

@@ -1,4 +1,5 @@
 security:
+    enable_authenticator_manager: true
     providers:
         default:
             memory:

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/access_decision_manager_service.yml

@@ -1,4 +1,5 @@
 security:
+    enable_authenticator_manager: true
     access_decision_manager:
         service: app.access_decision_manager
     providers:

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/access_decision_manager_service_and_strategy.yml

@@ -1,4 +1,5 @@
 security:
+    enable_authenticator_manager: true
     access_decision_manager:
         service: app.access_decision_manager
         strategy: affirmative

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/argon2i_hasher.yml

@@ -2,6 +2,7 @@ imports:
     - { resource: container1.yml }
 
 security:
+    enable_authenticator_manager: true
     password_hashers:
         JMS\FooBundle\Entity\User7:
             algorithm: argon2i

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/bcrypt_hasher.yml

@@ -2,6 +2,7 @@ imports:
     - { resource: container1.yml }
 
 security:
+    enable_authenticator_manager: true
     password_hashers:
         JMS\FooBundle\Entity\User7:
             algorithm: bcrypt

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/container1.yml

@@ -1,4 +1,5 @@
 security:
+    enable_authenticator_manager: true
     password_hashers:
         JMS\FooBundle\Entity\User1: plaintext
         JMS\FooBundle\Entity\User2:
@@ -51,7 +52,6 @@ security:
             stateless: true
             http_basic: true
             form_login: true
-            anonymous: true
             switch_user:
             x509: true
             remote_user: true
@@ -59,18 +59,17 @@ security:
             remember_me:
                 secret: TheSecret
             user_checker: ~
+            entry_point: form_login
 
         host:
             provider: default
             pattern: /test
             host: foo\.example\.org
             methods: [GET,POST]
-            anonymous: true
             http_basic: true
 
         with_user_checker:
             provider: default
-            anonymous: ~
             http_basic: ~
             user_checker: app.user_checker
 

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/firewall_provider.yml

@@ -1,4 +1,5 @@
 security:
+    enable_authenticator_manager: true
     providers:
         default:
             memory:

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/firewall_undefined_provider.yml

@@ -1,4 +1,5 @@
 security:
+    enable_authenticator_manager: true
     providers:
         default:
             memory:

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/legacy_container1.yml

@@ -0,0 +1,87 @@
+security:
+    password_hashers:
+        JMS\FooBundle\Entity\User1: plaintext
+        JMS\FooBundle\Entity\User2:
+            algorithm: sha1
+            encode_as_base64: false
+            iterations: 5
+        JMS\FooBundle\Entity\User3:
+            algorithm: md5
+        JMS\FooBundle\Entity\User4:
+            id: security.hasher.foo
+        JMS\FooBundle\Entity\User5:
+            algorithm: pbkdf2
+            hash_algorithm: sha1
+            encode_as_base64: false
+            iterations: 5
+            key_length: 30
+        JMS\FooBundle\Entity\User6:
+            algorithm: native
+            time_cost: 8
+            memory_cost: 100
+            cost: 15
+        JMS\FooBundle\Entity\User7:
+            algorithm: auto
+
+    providers:
+        default:
+            memory:
+                users:
+                    foo: { password: foo, roles: ROLE_USER }
+        digest:
+            memory:
+                users:
+                    foo: { password: foo, roles: 'ROLE_USER, ROLE_ADMIN' }
+        basic:
+            memory:
+                users:
+                    foo: { password: 0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33, roles: ROLE_SUPER_ADMIN }
+                    bar: { password: 0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33, roles: [ROLE_USER, ROLE_ADMIN] }
+        service:
+            id: user.manager
+        chain:
+            chain:
+                providers: [service, basic]
+
+
+    firewalls:
+        simple: { pattern: /login, security: false }
+        secure:
+            provider: default
+            stateless: true
+            http_basic: true
+            form_login: true
+            anonymous: true
+            switch_user:
+            x509: true
+            remote_user: true
+            logout: true
+            remember_me:
+                secret: TheSecret
+            user_checker: ~
+
+        host:
+            provider: default
+            pattern: /test
+            host: foo\.example\.org
+            methods: [GET,POST]
+            anonymous: true
+            http_basic: true
+
+        with_user_checker:
+            provider: default
+            anonymous: ~
+            http_basic: ~
+            user_checker: app.user_checker
+
+    role_hierarchy:
+        ROLE_ADMIN:       ROLE_USER
+        ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
+        ROLE_REMOTE:      ROLE_USER,ROLE_ADMIN
+
+    access_control:
+        - { path: /blog/524, role: ROLE_USER, requires_channel: https, methods: [get, POST], port: 8000}
+        -
+            path: /blog/.*
+            role: IS_AUTHENTICATED_ANONYMOUSLY
+        - { path: /blog/524, role: IS_AUTHENTICATED_ANONYMOUSLY, allow_if: "token.getUserIdentifier() matches '/^admin/'" }

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/legacy_remember_me_options.yml

@@ -0,0 +1,12 @@
+security:
+    providers:
+        default:
+            id: foo
+
+    firewalls:
+        main:
+            form_login: true
+            remember_me:
+                secret: TheSecret
+                catch_exceptions: false
+                token_provider: token_provider_id

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/listener_provider.yml

@@ -1,4 +1,5 @@
 security:
+    enable_authenticator_manager: true
     providers:
         default:
             memory:

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/listener_undefined_provider.yml

@@ -1,4 +1,5 @@
 security:
+    enable_authenticator_manager: true
     providers:
         default:
             memory:

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/logout_delete_cookies.yml

@@ -1,4 +1,5 @@
 security:
+    enable_authenticator_manager: true
     providers:
         default:
             id: foo

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/merge.yml

@@ -2,6 +2,7 @@ imports:
     - { resource: merge_import.yml }
 
 security:
+    enable_authenticator_manager: true
     providers:
         default: { id: foo }
 

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/merge_import.yml

@@ -1,4 +1,5 @@
 security:
+    enable_authenticator_manager: true
     firewalls:
         main:
             form_login:

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/migrating_hasher.yml

@@ -2,6 +2,7 @@ imports:
     - { resource: container1.yml }
 
 security:
+    enable_authenticator_manager: true
     password_hashers:
         JMS\FooBundle\Entity\User7:
             algorithm: argon2i

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/no_custom_user_checker.yml

@@ -1,4 +1,6 @@
 security:
+    enable_authenticator_manager: true
+
     providers:
         default:
             memory:
@@ -11,7 +13,6 @@ security:
             stateless: true
             http_basic: true
             form_login: true
-            anonymous: true
             switch_user: true
             x509: true
             remote_user: true
@@ -19,3 +20,4 @@ security:
             remember_me:
                 secret: TheSecret
             user_checker: ~
+            entry_point: form_login

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/remember_me_options.yml

@@ -1,4 +1,6 @@
 security:
+    enable_authenticator_manager: true
+
     providers:
         default:
             id: foo

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/sodium_hasher.yml

@@ -2,6 +2,7 @@ imports:
     - { resource: container1.yml }
 
 security:
+    enable_authenticator_manager: true
     password_hashers:
         JMS\FooBundle\Entity\User7:
             algorithm: sodium

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/SecurityExtensionTest.php

@@ -49,6 +49,7 @@ class SecurityExtensionTest extends TestCase
         $container = $this->getRawContainer();
 
         $container->loadFromExtension('security', [
+            'enable_authenticator_manager' => true,
             'providers' => [
                 'default' => ['id' => 'foo'],
             ],
@@ -66,6 +67,9 @@ class SecurityExtensionTest extends TestCase
         $container->compile();
     }
 
+    /**
+     * @group legacy
+     */
     public function testFirewallWithoutAuthenticationListener()
     {
         $this->expectException(InvalidConfigurationException::class);
@@ -97,6 +101,7 @@ class SecurityExtensionTest extends TestCase
         $extension->addUserProviderFactory(new DummyProvider());
 
         $container->loadFromExtension('security', [
+            'enable_authenticator_manager' => true,
             'providers' => [
                 'my_foo' => ['foo' => []],
             ],
@@ -117,6 +122,7 @@ class SecurityExtensionTest extends TestCase
         $container = $this->getRawContainer();
 
         $container->loadFromExtension('security', [
+            'enable_authenticator_manager' => true,
             'providers' => [
                 'default' => ['id' => 'foo'],
             ],
@@ -136,6 +142,9 @@ class SecurityExtensionTest extends TestCase
         $this->assertFalse($container->hasDefinition('security.access.role_hierarchy_voter'));
     }
 
+    /**
+     * @group legacy
+     */
     public function testGuardHandlerIsPassedStatelessFirewalls()
     {
         $container = $this->getRawContainer();
@@ -168,6 +177,7 @@ class SecurityExtensionTest extends TestCase
         $container = $this->getRawContainer();
 
         $container->loadFromExtension('security', [
+            'enable_authenticator_manager' => true,
             'providers' => [
                 'default' => ['id' => 'foo'],
             ],
@@ -190,6 +200,7 @@ class SecurityExtensionTest extends TestCase
     {
         $container = $this->getRawContainer();
         $container->loadFromExtension('security', [
+            'enable_authenticator_manager' => true,
             'providers' => [
                 'first' => ['id' => 'foo'],
                 'second' => ['id' => 'bar'],
@@ -212,6 +223,7 @@ class SecurityExtensionTest extends TestCase
         $this->expectExceptionMessage('Not configuring explicitly the provider for the "http_basic" listener on "ambiguous" firewall is ambiguous as there is more than one registered provider.');
         $container = $this->getRawContainer();
         $container->loadFromExtension('security', [
+            'enable_authenticator_manager' => true,
             'providers' => [
                 'first' => ['id' => 'foo'],
                 'second' => ['id' => 'bar'],
@@ -232,6 +244,7 @@ class SecurityExtensionTest extends TestCase
     {
         $container = $this->getRawContainer();
         $container->loadFromExtension('security', [
+            'enable_authenticator_manager' => true,
             'providers' => [
                 'first' => ['id' => 'foo'],
                 'second' => ['id' => 'bar'],
@@ -241,7 +254,6 @@ class SecurityExtensionTest extends TestCase
                 'default' => [
                     'form_login' => ['provider' => 'second'],
                     'remember_me' => ['secret' => 'baz'],
-                    'anonymous' => true,
                 ],
             ],
         ]);
@@ -257,6 +269,7 @@ class SecurityExtensionTest extends TestCase
         $rawExpression = "'foo' == 'bar' or 1 in [1, 3, 3]";
 
         $container->loadFromExtension('security', [
+            'enable_authenticator_manager' => true,
             'providers' => [
                 'default' => ['id' => 'foo'],
             ],
@@ -295,6 +308,7 @@ class SecurityExtensionTest extends TestCase
     {
         $container = $this->getRawContainer();
         $container->loadFromExtension('security', [
+            'enable_authenticator_manager' => true,
             'providers' => [
                 'default' => ['id' => 'foo'],
             ],
@@ -315,6 +329,7 @@ class SecurityExtensionTest extends TestCase
         $container = $this->getRawContainer();
 
         $container->loadFromExtension('security', [
+            'enable_authenticator_manager' => true,
             'providers' => [
                 'default' => ['id' => 'foo'],
             ],
@@ -337,6 +352,7 @@ class SecurityExtensionTest extends TestCase
         $container = $this->getRawContainer();
 
         $container->loadFromExtension('security', [
+            'enable_authenticator_manager' => true,
             'providers' => [
                 'first' => ['id' => 'foo'],
                 'second' => ['id' => 'bar'],
@@ -357,6 +373,7 @@ class SecurityExtensionTest extends TestCase
 
     /**
      * @dataProvider sessionConfigurationProvider
+     * @group legacy
      */
     public function testRememberMeCookieInheritFrameworkSessionCookie($config, $samesite, $secure)
     {
@@ -396,6 +413,7 @@ class SecurityExtensionTest extends TestCase
         $container = $this->getRawContainer();
 
         $container->loadFromExtension('security', [
+            'enable_authenticator_manager' => true,
             'providers' => [
                 'default' => ['id' => 'foo'],
             ],
@@ -471,6 +489,7 @@ class SecurityExtensionTest extends TestCase
     {
         $container = $this->getRawContainer();
         $container->loadFromExtension('security', [
+            'enable_authenticator_manager' => true,
             'providers' => [
                 'first' => ['id' => 'foo'],
                 'second' => ['id' => 'bar'],
@@ -481,7 +500,6 @@ class SecurityExtensionTest extends TestCase
                     'switch_user' => [
                         'provider' => 'second',
                     ],
-                    'anonymous' => true,
                 ],
             ],
         ]);
@@ -496,6 +514,7 @@ class SecurityExtensionTest extends TestCase
         $container = $this->getRawContainer();
 
         $container->loadFromExtension('security', [
+            'enable_authenticator_manager' => true,
             'providers' => [
                 'default' => ['id' => 'foo'],
             ],
@@ -521,6 +540,7 @@ class SecurityExtensionTest extends TestCase
         $container = $this->getRawContainer();
 
         $container->loadFromExtension('security', [
+            'enable_authenticator_manager' => true,
             'providers' => [
                 'default' => ['id' => 'foo'],
             ],
@@ -542,6 +562,7 @@ class SecurityExtensionTest extends TestCase
     }
 
     /**
+     * @group legacy
      * @dataProvider provideEntryPointFirewalls
      */
     public function testAuthenticatorManagerEnabledEntryPoint(array $firewall, $entryPointId)
@@ -738,6 +759,9 @@ class SecurityExtensionTest extends TestCase
         yield [['user_checker' => TestUserChecker::class], TestUserChecker::class];
     }
 
+    /**
+     * @group legacy
+     */
     public function testConfigureCustomFirewallListener()
     {
         $container = $this->getRawContainer();

src/Symfony/Bundle/SecurityBundle/Tests/Functional/AnonymousTest.php

@@ -11,6 +11,9 @@
 
 namespace Symfony\Bundle\SecurityBundle\Tests\Functional;
 
+/**
+ * @group legacy
+ */
 class AnonymousTest extends AbstractWebTestCase
 {
     public function testAnonymous()

src/Symfony/Bundle/SecurityBundle/Tests/Functional/AuthenticationCommencingTest.php

@@ -13,20 +13,22 @@ namespace Symfony\Bundle\SecurityBundle\Tests\Functional;
 
 class AuthenticationCommencingTest extends AbstractWebTestCase
 {
-    /**
+    public function testAuthenticationIsCommencingIfAccessDeniedExceptionIsWrapped()
-     * @dataProvider provideClientOptions
-     */
-    public function testAuthenticationIsCommencingIfAccessDeniedExceptionIsWrapped(array $options)
     {
-        $client = $this->createClient($options);
+        $client = $this->createClient(['test_case' => 'StandardFormLogin', 'root_config' => 'base_config.yml']);
 
         $client->request('GET', '/secure-but-not-covered-by-access-control');
         $this->assertRedirect($client->getResponse(), '/login');
     }
 
-    public function provideClientOptions()
+    /**
+     * @group legacy
+     */
+    public function testLegacyAuthenticationIsCommencingIfAccessDeniedExceptionIsWrapped()
     {
-        yield [['test_case' => 'StandardFormLogin', 'root_config' => 'config.yml', 'enable_authenticator_manager' => true]];
+        $client = $this->createClient(['test_case' => 'StandardFormLogin', 'root_config' => 'legacy_config.yml']);
-        yield [['test_case' => 'StandardFormLogin', 'root_config' => 'legacy_config.yml', 'enable_authenticator_manager' => false]];
+
+        $client->request('GET', '/secure-but-not-covered-by-access-control');
+        $this->assertRedirect($client->getResponse(), '/login');
     }
 }

src/Symfony/Bundle/SecurityBundle/Tests/Functional/AutowiringTypesTest.php

@@ -30,6 +30,22 @@ class AutowiringTypesTest extends AbstractWebTestCase
         $this->assertInstanceOf(TraceableAccessDecisionManager::class, $autowiredServices->getAccessDecisionManager(), 'The debug.security.access.decision_manager service should be injected in non-debug mode');
     }
 
+    /**
+     * @group legacy
+     */
+    public function testLegacyAccessDecisionManagerAutowiring()
+    {
+        static::bootKernel(['debug' => false, 'root_config' => 'legacy_config.yml']);
+
+        $autowiredServices = static::getContainer()->get('test.autowiring_types.autowired_services');
+        $this->assertInstanceOf(AccessDecisionManager::class, $autowiredServices->getAccessDecisionManager(), 'The security.access.decision_manager service should be injected in debug mode');
+
+        static::bootKernel(['debug' => true, 'root_config' => 'legacy_config.yml']);
+
+        $autowiredServices = static::getContainer()->get('test.autowiring_types.autowired_services');
+        $this->assertInstanceOf(TraceableAccessDecisionManager::class, $autowiredServices->getAccessDecisionManager(), 'The debug.security.access.decision_manager service should be injected in non-debug mode');
+    }
+
     protected static function createKernel(array $options = []): KernelInterface
     {
         return parent::createKernel(['test_case' => 'AutowiringTypes'] + $options);

src/Symfony/Bundle/SecurityBundle/Tests/Functional/CsrfFormLoginTest.php

@@ -100,11 +100,106 @@ class CsrfFormLoginTest extends AbstractWebTestCase
         $this->assertStringContainsString('You\'re browsing to path "/protected-resource".', $text);
     }
 
+    /**
+     * @group legacy
+     * @dataProvider provideLegacyClientOptions
+     */
+    public function testLegacyFormLoginAndLogoutWithCsrfTokens($options)
+    {
+        $client = $this->createClient($options);
+
+        $form = $client->request('GET', '/login')->selectButton('login')->form();
+        $form['user_login[username]'] = 'johannes';
+        $form['user_login[password]'] = 'test';
+        $client->submit($form);
+
+        $this->assertRedirect($client->getResponse(), '/profile');
+
+        $crawler = $client->followRedirect();
+
+        $text = $crawler->text(null, true);
+        $this->assertStringContainsString('Hello johannes!', $text);
+        $this->assertStringContainsString('You\'re browsing to path "/profile".', $text);
+
+        $logoutLinks = $crawler->selectLink('Log out')->links();
+        $this->assertCount(2, $logoutLinks);
+        $this->assertStringContainsString('_csrf_token=', $logoutLinks[0]->getUri());
+
+        $client->click($logoutLinks[0]);
+
+        $this->assertRedirect($client->getResponse(), '/');
+    }
+
+    /**
+     * @group legacy
+     * @dataProvider provideLegacyClientOptions
+     */
+    public function testLegacyFormLoginWithInvalidCsrfToken($options)
+    {
+        $client = $this->createClient($options);
+
+        $form = $client->request('GET', '/login')->selectButton('login')->form();
+        $form['user_login[_token]'] = '';
+        $client->submit($form);
+
+        $this->assertRedirect($client->getResponse(), '/login');
+
+        $text = $client->followRedirect()->text(null, true);
+        $this->assertStringContainsString('Invalid CSRF token.', $text);
+    }
+
+    /**
+     * @group legacy
+     * @dataProvider provideLegacyClientOptions
+     */
+    public function testFormLegacyLoginWithCustomTargetPath($options)
+    {
+        $client = $this->createClient($options);
+
+        $form = $client->request('GET', '/login')->selectButton('login')->form();
+        $form['user_login[username]'] = 'johannes';
+        $form['user_login[password]'] = 'test';
+        $form['user_login[_target_path]'] = '/foo';
+        $client->submit($form);
+
+        $this->assertRedirect($client->getResponse(), '/foo');
+
+        $text = $client->followRedirect()->text(null, true);
+        $this->assertStringContainsString('Hello johannes!', $text);
+        $this->assertStringContainsString('You\'re browsing to path "/foo".', $text);
+    }
+
+    /**
+     * @group legacy
+     * @dataProvider provideLegacyClientOptions
+     */
+    public function testLegacyFormLoginRedirectsToProtectedResourceAfterLogin($options)
+    {
+        $client = $this->createClient($options);
+
+        $client->request('GET', '/protected-resource');
+        $this->assertRedirect($client->getResponse(), '/login');
+
+        $form = $client->followRedirect()->selectButton('login')->form();
+        $form['user_login[username]'] = 'johannes';
+        $form['user_login[password]'] = 'test';
+        $client->submit($form);
+        $this->assertRedirect($client->getResponse(), '/protected-resource');
+
+        $text = $client->followRedirect()->text(null, true);
+        $this->assertStringContainsString('Hello johannes!', $text);
+        $this->assertStringContainsString('You\'re browsing to path "/protected-resource".', $text);
+    }
+
     public function provideClientOptions()
     {
         yield [['test_case' => 'CsrfFormLogin', 'root_config' => 'config.yml', 'enable_authenticator_manager' => true]];
-        yield [['test_case' => 'CsrfFormLogin', 'root_config' => 'legacy_config.yml', 'enable_authenticator_manager' => false]];
         yield [['test_case' => 'CsrfFormLogin', 'root_config' => 'routes_as_path.yml', 'enable_authenticator_manager' => true]];
+    }
+
+    public function provideLegacyClientOptions()
+    {
+        yield [['test_case' => 'CsrfFormLogin', 'root_config' => 'legacy_config.yml', 'enable_authenticator_manager' => false]];
         yield [['test_case' => 'CsrfFormLogin', 'root_config' => 'legacy_routes_as_path.yml', 'enable_authenticator_manager' => false]];
     }
 }

src/Symfony/Bundle/SecurityBundle/Tests/Functional/FirewallEntryPointTest.php

@@ -15,9 +15,25 @@ use Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\FirewallEntryPointBund
 
 class FirewallEntryPointTest extends AbstractWebTestCase
 {
+    public function testItUsesTheConfiguredEntryPointFromTheExceptionListenerWithFormLoginAndNoCredentials()
+    {
+        $client = $this->createClient(['test_case' => 'FirewallEntryPoint', 'root_config' => 'config_form_login.yml']);
+
+        $client->request('GET', '/secure/resource');
+
+        $this->assertEquals(
+            EntryPointStub::RESPONSE_TEXT,
+            $client->getResponse()->getContent(),
+            "Custom entry point wasn't started"
+        );
+    }
+
+    /**
+     * @group legacy
+     */
     public function testItUsesTheConfiguredEntryPointWhenUsingUnknownCredentials()
     {
-        $client = $this->createClient(['test_case' => 'FirewallEntryPoint']);
+        $client = $this->createClient(['test_case' => 'FirewallEntryPoint', 'root_config' => 'legacy_config.yml']);
 
         $client->request('GET', '/secure/resource', [], [], [
             'PHP_AUTH_USER' => 'unknown',
@@ -32,11 +48,11 @@ class FirewallEntryPointTest extends AbstractWebTestCase
     }
 
     /**
-     * @dataProvider provideSecuritySystems
+     * @group legacy
      */
-    public function testItUsesTheConfiguredEntryPointFromTheExceptionListenerWithFormLoginAndNoCredentials(array $options)
+    public function testLegacyItUsesTheConfiguredEntryPointFromTheExceptionListenerWithFormLoginAndNoCredentials()
     {
-        $client = $this->createClient($options + ['test_case' => 'FirewallEntryPoint', 'root_config' => 'config_form_login.yml']);
+        $client = $this->createClient(['test_case' => 'FirewallEntryPoint', 'root_config' => 'legacy_config_form_login.yml']);
 
         $client->request('GET', '/secure/resource');
 

src/Symfony/Bundle/SecurityBundle/Tests/Functional/FormLoginTest.php

@@ -153,11 +153,158 @@ class FormLoginTest extends AbstractWebTestCase
         }
     }
 
+    /**
+     * @dataProvider provideLegacyClientOptions
+     * @group legacy
+     */
+    public function testLegacyFormLogin(array $options)
+    {
+        $client = $this->createClient($options);
+
+        $form = $client->request('GET', '/login')->selectButton('login')->form();
+        $form['_username'] = 'johannes';
+        $form['_password'] = 'test';
+        $client->submit($form);
+
+        $this->assertRedirect($client->getResponse(), '/profile');
+
+        $text = $client->followRedirect()->text(null, true);
+        $this->assertStringContainsString('Hello johannes!', $text);
+        $this->assertStringContainsString('You\'re browsing to path "/profile".', $text);
+    }
+
+    /**
+     * @dataProvider provideLegacyClientOptions
+     * @group legacy
+     */
+    public function testLegacyFormLogout(array $options)
+    {
+        $client = $this->createClient($options);
+
+        $form = $client->request('GET', '/login')->selectButton('login')->form();
+        $form['_username'] = 'johannes';
+        $form['_password'] = 'test';
+        $client->submit($form);
+
+        $this->assertRedirect($client->getResponse(), '/profile');
+
+        $crawler = $client->followRedirect();
+        $text = $crawler->text(null, true);
+
+        $this->assertStringContainsString('Hello johannes!', $text);
+        $this->assertStringContainsString('You\'re browsing to path "/profile".', $text);
+
+        $logoutLinks = $crawler->selectLink('Log out')->links();
+        $this->assertCount(6, $logoutLinks);
+        $this->assertSame($logoutLinks[0]->getUri(), $logoutLinks[1]->getUri());
+        $this->assertSame($logoutLinks[2]->getUri(), $logoutLinks[3]->getUri());
+        $this->assertSame($logoutLinks[4]->getUri(), $logoutLinks[5]->getUri());
+
+        $this->assertNotSame($logoutLinks[0]->getUri(), $logoutLinks[2]->getUri());
+        $this->assertNotSame($logoutLinks[1]->getUri(), $logoutLinks[3]->getUri());
+
+        $this->assertSame($logoutLinks[0]->getUri(), $logoutLinks[4]->getUri());
+        $this->assertSame($logoutLinks[1]->getUri(), $logoutLinks[5]->getUri());
+    }
+
+    /**
+     * @dataProvider provideLegacyClientOptions
+     * @group legacy
+     */
+    public function testLegacyFormLoginWithCustomTargetPath(array $options)
+    {
+        $client = $this->createClient($options);
+
+        $form = $client->request('GET', '/login')->selectButton('login')->form();
+        $form['_username'] = 'johannes';
+        $form['_password'] = 'test';
+        $form['_target_path'] = '/foo';
+        $client->submit($form);
+
+        $this->assertRedirect($client->getResponse(), '/foo');
+
+        $text = $client->followRedirect()->text(null, true);
+        $this->assertStringContainsString('Hello johannes!', $text);
+        $this->assertStringContainsString('You\'re browsing to path "/foo".', $text);
+    }
+
+    /**
+     * @dataProvider provideLegacyClientOptions
+     * @group legacy
+     */
+    public function testLegacyFormLoginRedirectsToProtectedResourceAfterLogin(array $options)
+    {
+        $client = $this->createClient($options);
+
+        $client->request('GET', '/protected_resource');
+        $this->assertRedirect($client->getResponse(), '/login');
+
+        $form = $client->followRedirect()->selectButton('login')->form();
+        $form['_username'] = 'johannes';
+        $form['_password'] = 'test';
+        $client->submit($form);
+        $this->assertRedirect($client->getResponse(), '/protected_resource');
+
+        $text = $client->followRedirect()->text(null, true);
+        $this->assertStringContainsString('Hello johannes!', $text);
+        $this->assertStringContainsString('You\'re browsing to path "/protected_resource".', $text);
+    }
+
+    /**
+     * @group time-sensitive
+     * @group legacy
+     */
+    public function testLegacyLoginThrottling()
+    {
+        if (!class_exists(LoginThrottlingListener::class)) {
+            $this->markTestSkipped('Login throttling requires symfony/security-http:^5.2');
+        }
+
+        $client = $this->createClient(['test_case' => 'StandardFormLogin', 'root_config' => 'legacy_login_throttling.yml', 'enable_authenticator_manager' => true]);
+
+        $attempts = [
+            ['johannes', 'wrong'],
+            ['johannes', 'also_wrong'],
+            ['wrong', 'wrong'],
+            ['johannes', 'wrong_again'],
+        ];
+        foreach ($attempts as $i => $attempt) {
+            $form = $client->request('GET', '/login')->selectButton('login')->form();
+            $form['_username'] = $attempt[0];
+            $form['_password'] = $attempt[1];
+            $client->submit($form);
+
+            $text = $client->followRedirect()->text(null, true);
+            switch ($i) {
+                case 0: // First attempt : Invalid credentials (OK)
+                    $this->assertStringContainsString('Invalid credentials', $text, 'Invalid response on 1st attempt');
+
+                    break;
+                case 1: // Second attempt : login throttling !
+                    $this->assertStringContainsString('Too many failed login attempts, please try again in 8 minutes.', $text, 'Invalid response on 2nd attempt');
+
+                    break;
+                case 2: // Third attempt with unexisting username
+                    $this->assertStringContainsString('Invalid credentials.', $text, 'Invalid response on 3rd attempt');
+
+                    break;
+                case 3: // Fourth attempt : still login throttling !
+                    $this->assertStringContainsString('Too many failed login attempts, please try again in 8 minutes.', $text, 'Invalid response on 4th attempt');
+
+                    break;
+            }
+        }
+    }
+
     public function provideClientOptions()
     {
-        yield [['test_case' => 'StandardFormLogin', 'root_config' => 'config.yml', 'enable_authenticator_manager' => true]];
+        yield [['test_case' => 'StandardFormLogin', 'root_config' => 'base_config.yml', 'enable_authenticator_manager' => true]];
-        yield [['test_case' => 'StandardFormLogin', 'root_config' => 'legacy_config.yml', 'enable_authenticator_manager' => false]];
         yield [['test_case' => 'StandardFormLogin', 'root_config' => 'routes_as_path.yml', 'enable_authenticator_manager' => true]];
+    }
+
+    public function provideLegacyClientOptions()
+    {
+        yield [['test_case' => 'StandardFormLogin', 'root_config' => 'legacy_config.yml', 'enable_authenticator_manager' => false]];
         yield [['test_case' => 'StandardFormLogin', 'root_config' => 'legacy_routes_as_path.yml', 'enable_authenticator_manager' => false]];
     }
 }

src/Symfony/Bundle/SecurityBundle/Tests/Functional/GuardedTest.php

@@ -11,6 +11,9 @@
 
 namespace Symfony\Bundle\SecurityBundle\Tests\Functional;
 
+/**
+ * @group legacy
+ */
 class GuardedTest extends AbstractWebTestCase
 {
     public function testGuarded()

src/Symfony/Bundle/SecurityBundle/Tests/Functional/JsonLoginTest.php

@@ -18,12 +18,9 @@ use Symfony\Component\HttpFoundation\JsonResponse;
  */
 class JsonLoginTest extends AbstractWebTestCase
 {
-    /**
+    public function testDefaultJsonLoginSuccess()
-     * @dataProvider provideSecuritySystems
-     */
-    public function testDefaultJsonLoginSuccess(array $options)
     {
-        $client = $this->createClient($options + ['test_case' => 'JsonLogin', 'root_config' => 'config.yml']);
+        $client = $this->createClient(['test_case' => 'JsonLogin', 'root_config' => 'config.yml']);
         $client->request('POST', '/chk', [], [], ['CONTENT_TYPE' => 'application/json'], '{"user": {"login": "dunglas", "password": "foo"}}');
         $response = $client->getResponse();
 
@@ -32,12 +29,9 @@ class JsonLoginTest extends AbstractWebTestCase
         $this->assertSame(['message' => 'Welcome @dunglas!'], json_decode($response->getContent(), true));
     }
 
-    /**
+    public function testDefaultJsonLoginFailure()
-     * @dataProvider provideSecuritySystems
-     */
-    public function testDefaultJsonLoginFailure(array $options)
     {
-        $client = $this->createClient($options + ['test_case' => 'JsonLogin', 'root_config' => 'config.yml']);
+        $client = $this->createClient(['test_case' => 'JsonLogin', 'root_config' => 'config.yml']);
         $client->request('POST', '/chk', [], [], ['CONTENT_TYPE' => 'application/json'], '{"user": {"login": "dunglas", "password": "bad"}}');
         $response = $client->getResponse();
 
@@ -46,12 +40,9 @@ class JsonLoginTest extends AbstractWebTestCase
         $this->assertSame(['error' => 'Invalid credentials.'], json_decode($response->getContent(), true));
     }
 
-    /**
+    public function testCustomJsonLoginSuccess()
-     * @dataProvider provideSecuritySystems
-     */
-    public function testCustomJsonLoginSuccess(array $options)
     {
-        $client = $this->createClient($options + ['test_case' => 'JsonLogin', 'root_config' => 'custom_handlers.yml']);
+        $client = $this->createClient(['test_case' => 'JsonLogin', 'root_config' => 'custom_handlers.yml']);
         $client->request('POST', '/chk', [], [], ['CONTENT_TYPE' => 'application/json'], '{"user": {"login": "dunglas", "password": "foo"}}');
         $response = $client->getResponse();
 
@@ -60,12 +51,9 @@ class JsonLoginTest extends AbstractWebTestCase
         $this->assertSame(['message' => 'Good game @dunglas!'], json_decode($response->getContent(), true));
     }
 
-    /**
+    public function testCustomJsonLoginFailure()
-     * @dataProvider provideSecuritySystems
-     */
-    public function testCustomJsonLoginFailure(array $options)
     {
-        $client = $this->createClient($options + ['test_case' => 'JsonLogin', 'root_config' => 'custom_handlers.yml']);
+        $client = $this->createClient(['test_case' => 'JsonLogin', 'root_config' => 'custom_handlers.yml']);
         $client->request('POST', '/chk', [], [], ['CONTENT_TYPE' => 'application/json'], '{"user": {"login": "dunglas", "password": "bad"}}');
         $response = $client->getResponse();
 
@@ -75,11 +63,81 @@ class JsonLoginTest extends AbstractWebTestCase
     }
 
     /**
-     * @dataProvider provideSecuritySystems
+     * @group legacy
      */
-    public function testDefaultJsonLoginBadRequest(array $options)
+    public function testDefaultJsonLoginBadRequest()
     {
-        $client = $this->createClient($options + ['test_case' => 'JsonLogin', 'root_config' => 'config.yml']);
+        $client = $this->createClient(['test_case' => 'JsonLogin', 'root_config' => 'legacy_config.yml']);
+        $client->request('POST', '/chk', [], [], ['CONTENT_TYPE' => 'application/json'], 'Not a json content');
+        $response = $client->getResponse();
+
+        $this->assertSame(400, $response->getStatusCode());
+        $this->assertSame('application/json', $response->headers->get('Content-Type'));
+        $this->assertSame(['type' => 'https://tools.ietf.org/html/rfc2616#section-10', 'title' => 'An error occurred', 'status' => 400, 'detail' => 'Bad Request'], json_decode($response->getContent(), true));
+    }
+
+    /**
+     * @group legacy
+     */
+    public function testLegacyDefaultJsonLoginSuccess()
+    {
+        $client = $this->createClient(['test_case' => 'JsonLogin', 'root_config' => 'legacy_config.yml']);
+        $client->request('POST', '/chk', [], [], ['CONTENT_TYPE' => 'application/json'], '{"user": {"login": "dunglas", "password": "foo"}}');
+        $response = $client->getResponse();
+
+        $this->assertInstanceOf(JsonResponse::class, $response);
+        $this->assertSame(200, $response->getStatusCode());
+        $this->assertSame(['message' => 'Welcome @dunglas!'], json_decode($response->getContent(), true));
+    }
+
+    /**
+     * @group legacy
+     */
+    public function testLegacyDefaultJsonLoginFailure()
+    {
+        $client = $this->createClient(['test_case' => 'JsonLogin', 'root_config' => 'legacy_config.yml']);
+        $client->request('POST', '/chk', [], [], ['CONTENT_TYPE' => 'application/json'], '{"user": {"login": "dunglas", "password": "bad"}}');
+        $response = $client->getResponse();
+
+        $this->assertInstanceOf(JsonResponse::class, $response);
+        $this->assertSame(401, $response->getStatusCode());
+        $this->assertSame(['error' => 'Invalid credentials.'], json_decode($response->getContent(), true));
+    }
+
+    /**
+     * @group legacy
+     */
+    public function testLegacyCustomJsonLoginSuccess()
+    {
+        $client = $this->createClient(['test_case' => 'JsonLogin', 'root_config' => 'legacy_custom_handlers.yml']);
+        $client->request('POST', '/chk', [], [], ['CONTENT_TYPE' => 'application/json'], '{"user": {"login": "dunglas", "password": "foo"}}');
+        $response = $client->getResponse();
+
+        $this->assertInstanceOf(JsonResponse::class, $response);
+        $this->assertSame(200, $response->getStatusCode());
+        $this->assertSame(['message' => 'Good game @dunglas!'], json_decode($response->getContent(), true));
+    }
+
+    /**
+     * @group legacy
+     */
+    public function testLegacyCustomJsonLoginFailure()
+    {
+        $client = $this->createClient(['test_case' => 'JsonLogin', 'root_config' => 'legacy_custom_handlers.yml']);
+        $client->request('POST', '/chk', [], [], ['CONTENT_TYPE' => 'application/json'], '{"user": {"login": "dunglas", "password": "bad"}}');
+        $response = $client->getResponse();
+
+        $this->assertInstanceOf(JsonResponse::class, $response);
+        $this->assertSame(500, $response->getStatusCode());
+        $this->assertSame(['message' => 'Something went wrong'], json_decode($response->getContent(), true));
+    }
+
+    /**
+     * @group legacy
+     */
+    public function testLegacyDefaultJsonLoginBadRequest()
+    {
+        $client = $this->createClient(['test_case' => 'JsonLogin', 'root_config' => 'legacy_config.yml']);
         $client->request('POST', '/chk', [], [], ['CONTENT_TYPE' => 'application/json'], 'Not a json content');
         $response = $client->getResponse();
 

src/Symfony/Bundle/SecurityBundle/Tests/Functional/LocalizedRoutesAsPathTest.php

@@ -40,7 +40,7 @@ class LocalizedRoutesAsPathTest extends AbstractWebTestCase
      */
     public function testLoginFailureWithLocalizedFailurePath($locale, array $options)
     {
-        $client = $this->createClient(['test_case' => 'StandardFormLogin', 'root_config' => ($options['enable_authenticator_manager'] ? '' : 'legacy_').'localized_form_failure_handler.yml'] + $options);
+        $client = $this->createClient(['test_case' => 'StandardFormLogin', 'root_config' => 'localized_form_failure_handler.yml'] + $options);
 
         $crawler = $client->request('GET', '/'.$locale.'/login');
         $form = $crawler->selectButton('login')->form();
@@ -73,11 +73,79 @@ class LocalizedRoutesAsPathTest extends AbstractWebTestCase
         $this->assertCount(1, $crawler->selectButton('login'), (string) $client->getResponse());
     }
 
+    /**
+     * @group legacy
+     * @dataProvider getLegacyLocalesAndClientConfig
+     */
+    public function testLegacyLoginLogoutProcedure($locale, array $options)
+    {
+        $client = $this->createClient(['test_case' => 'StandardFormLogin'] + $options);
+
+        $crawler = $client->request('GET', '/'.$locale.'/login');
+        $form = $crawler->selectButton('login')->form();
+        $form['_username'] = 'johannes';
+        $form['_password'] = 'test';
+        $client->submit($form);
+
+        $this->assertRedirect($client->getResponse(), '/'.$locale.'/profile');
+        $this->assertEquals('Profile', $client->followRedirect()->text());
+
+        $client->request('GET', '/'.$locale.'/logout');
+        $this->assertRedirect($client->getResponse(), '/'.$locale.'/');
+        $this->assertEquals('Homepage', $client->followRedirect()->text());
+    }
+
+    /**
+     * @group issue-32995
+     * @group legacy
+     * @dataProvider getLegacyLocalesAndClientConfig
+     */
+    public function testLegacyLoginFailureWithLocalizedFailurePath($locale, array $options)
+    {
+        $client = $this->createClient(['test_case' => 'StandardFormLogin', 'root_config' => 'legacy_localized_form_failure_handler.yml'] + $options);
+
+        $crawler = $client->request('GET', '/'.$locale.'/login');
+        $form = $crawler->selectButton('login')->form();
+        $form['_username'] = 'johannes';
+        $form['_password'] = 'foobar';
+        $client->submit($form);
+
+        $this->assertRedirect($client->getResponse(), '/'.$locale.'/login');
+    }
+
+    /**
+     * @group legacy
+     * @dataProvider getLegacyLocalesAndClientConfig
+     */
+    public function testLegacyAccessRestrictedResource($locale, array $options)
+    {
+        $client = $this->createClient(['test_case' => 'StandardFormLogin'] + $options);
+
+        $client->request('GET', '/'.$locale.'/secure/');
+        $this->assertRedirect($client->getResponse(), '/'.$locale.'/login');
+    }
+
+    /**
+     * @group legacy
+     * @dataProvider getLegacyLocalesAndClientConfig
+     */
+    public function testLegacyAccessRestrictedResourceWithForward($locale, array $options)
+    {
+        $client = $this->createClient(['test_case' => 'StandardFormLogin', 'root_config' => 'legacy_localized_routes_with_forward.yml'] + $options);
+
+        $crawler = $client->request('GET', '/'.$locale.'/secure/');
+        $this->assertCount(1, $crawler->selectButton('login'), (string) $client->getResponse());
+    }
+
     public function getLocalesAndClientConfig()
     {
-        yield ['en', ['enable_authenticator_manager' => true, 'root_config' => 'localized_routes.yml']];
+        yield ['en', ['root_config' => 'localized_routes.yml']];
-        yield ['en', ['enable_authenticator_manager' => false, 'root_config' => 'legacy_localized_routes.yml']];
+        yield ['de', ['root_config' => 'localized_routes.yml']];
-        yield ['de', ['enable_authenticator_manager' => true, 'root_config' => 'localized_routes.yml']];
+    }
-        yield ['de', ['enable_authenticator_manager' => false, 'root_config' => 'legacy_localized_routes.yml']];
+
+    public function getLegacyLocalesAndClientConfig()
+    {
+        yield ['en', ['root_config' => 'legacy_localized_routes.yml']];
+        yield ['de', ['root_config' => 'legacy_localized_routes.yml']];
     }
 }

src/Symfony/Bundle/SecurityBundle/Tests/Functional/LogoutTest.php

@@ -20,12 +20,9 @@ use Symfony\Component\HttpKernel\KernelEvents;
 
 class LogoutTest extends AbstractWebTestCase
 {
-    /**
+    public function testCsrfTokensAreClearedOnLogout()
-     * @dataProvider provideSecuritySystems
-     */
-    public function testCsrfTokensAreClearedOnLogout(array $options)
     {
-        $client = $this->createClient($options + ['test_case' => 'LogoutWithoutSessionInvalidation', 'root_config' => 'config.yml']);
+        $client = $this->createClient(['enable_authenticator_manager' => true, 'test_case' => 'LogoutWithoutSessionInvalidation', 'root_config' => 'config.yml']);
         $client->disableReboot();
         $this->callInRequestContext($client, function () {
             static::getContainer()->get('security.csrf.token_storage')->setToken('foo', 'bar');
@@ -49,11 +46,49 @@ class LogoutTest extends AbstractWebTestCase
     }
 
     /**
-     * @dataProvider provideSecuritySystems
+     * @group legacy
      */
-    public function testAccessControlDoesNotApplyOnLogout(array $options)
+    public function testLegacyCsrfTokensAreClearedOnLogout()
     {
-        $client = $this->createClient($options + ['test_case' => 'Logout', 'root_config' => 'config_access.yml']);
+        $client = $this->createClient(['enable_authenticator_manager' => false, 'test_case' => 'LogoutWithoutSessionInvalidation', 'root_config' => 'config.yml']);
+        $client->disableReboot();
+        $this->callInRequestContext($client, function () {
+            static::getContainer()->get('security.csrf.token_storage')->setToken('foo', 'bar');
+        });
+
+        $client->request('POST', '/login', [
+            '_username' => 'johannes',
+            '_password' => 'test',
+        ]);
+
+        $this->callInRequestContext($client, function () {
+            $this->assertTrue(static::getContainer()->get('security.csrf.token_storage')->hasToken('foo'));
+            $this->assertSame('bar', static::getContainer()->get('security.csrf.token_storage')->getToken('foo'));
+        });
+
+        $client->request('GET', '/logout');
+
+        $this->callInRequestContext($client, function () {
+            $this->assertFalse(static::getContainer()->get('security.csrf.token_storage')->hasToken('foo'));
+        });
+    }
+
+    public function testAccessControlDoesNotApplyOnLogout()
+    {
+        $client = $this->createClient(['enable_authenticator_manager' => true, 'test_case' => 'Logout', 'root_config' => 'config_access.yml']);
+
+        $client->request('POST', '/login', ['_username' => 'johannes', '_password' => 'test']);
+        $client->request('GET', '/logout');
+
+        $this->assertRedirect($client->getResponse(), '/');
+    }
+
+    /**
+     * @group legacy
+     */
+    public function testLegacyAccessControlDoesNotApplyOnLogout()
+    {
+        $client = $this->createClient(['enable_authenticator_manager' => false, 'test_case' => 'Logout', 'root_config' => 'config_access.yml']);
 
         $client->request('POST', '/login', ['_username' => 'johannes', '_password' => 'test']);
         $client->request('GET', '/logout');

src/Symfony/Bundle/SecurityBundle/Tests/Functional/MissingUserProviderTest.php

@@ -11,9 +11,24 @@
 
 namespace Symfony\Bundle\SecurityBundle\Tests\Functional;
 
+use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
+
 class MissingUserProviderTest extends AbstractWebTestCase
 {
     public function testUserProviderIsNeeded()
+    {
+        $client = $this->createClient(['enable_authenticator_manager' => true, 'test_case' => 'MissingUserProvider', 'root_config' => 'config.yml', 'debug' => true]);
+
+        $this->expectException(InvalidConfigurationException::class);
+        $this->expectExceptionMessage('"default" firewall requires a user provider but none was defined');
+
+        $client->request('GET', '/', [], [], [
+            'PHP_AUTH_USER' => 'username',
+            'PHP_AUTH_PW' => 'pa$$word',
+        ]);
+    }
+
+    public function testLegacyUserProviderIsNeeded()
     {
         $client = $this->createClient(['test_case' => 'MissingUserProvider', 'root_config' => 'config.yml', 'debug' => true]);
 

src/Symfony/Bundle/SecurityBundle/Tests/Functional/RememberMeCookieTest.php

@@ -22,8 +22,11 @@ class RememberMeCookieTest extends AbstractWebTestCase
         $this->assertSame($expectedSecureFlag, $cookies['']['/']['REMEMBERME']->isSecure());
     }
 
-    /** @dataProvider getSessionRememberMeSecureCookieFlagAutoHttpsMap */
+    /**
-    public function testOldSessionRememberMeSecureCookieFlagAuto($https, $expectedSecureFlag)
+     * @dataProvider getSessionRememberMeSecureCookieFlagAutoHttpsMap
+     * @group legacy
+     */
+    public function testLegacySessionRememberMeSecureCookieFlagAuto($https, $expectedSecureFlag)
     {
         $client = $this->createClient(['test_case' => 'RememberMeCookie', 'root_config' => 'legacy_config.yml']);
 

src/Symfony/Bundle/SecurityBundle/Tests/Functional/RememberMeTest.php

@@ -13,18 +13,76 @@ namespace Symfony\Bundle\SecurityBundle\Tests\Functional;
 
 class RememberMeTest extends AbstractWebTestCase
 {
-    public function provideRememberMeSystems()
+    /**
+     * @dataProvider provideConfigs
+     */
+    public function testRememberMe(array $options)
     {
-        foreach ($this->provideSecuritySystems() as $securitySystem) {
+        $client = $this->createClient(array_merge_recursive(['root_config' => 'config.yml', 'test_case' => 'RememberMe'], $options));
-            yield [$securitySystem[0] + ['root_config' => 'config_session.yml']];
+        $client->request('POST', '/login', [
-            yield [$securitySystem[0] + ['root_config' => 'config_persistent.yml']];
+            '_username' => 'johannes',
+            '_password' => 'test',
+        ]);
+        $this->assertSame(302, $client->getResponse()->getStatusCode());
+
+        $client->request('GET', '/profile');
+        $this->assertSame('johannes', $client->getResponse()->getContent());
+
+        // clear session, this should trigger remember me on the next request
+        $client->getCookieJar()->expire('MOCKSESSID');
+
+        $client->request('GET', '/profile');
+        $this->assertSame('johannes', $client->getResponse()->getContent(), 'Not logged in after resetting session.');
+
+        // logout, this should clear the remember-me cookie
+        $client->request('GET', '/logout');
+        $this->assertSame(302, $client->getResponse()->getStatusCode(), 'Logout unsuccessful.');
+        $this->assertNull($client->getCookieJar()->get('REMEMBERME'));
     }
+
+    public function testUserChangeClearsCookie()
+    {
+        $client = $this->createClient(['test_case' => 'RememberMe', 'root_config' => 'clear_on_change_config.yml']);
+
+        $client->request('POST', '/login', [
+            '_username' => 'johannes',
+            '_password' => 'test',
+        ]);
+
+        $this->assertSame(302, $client->getResponse()->getStatusCode());
+        $cookieJar = $client->getCookieJar();
+        $this->assertNotNull($cookieJar->get('REMEMBERME'));
+
+        $client->request('GET', '/profile');
+        $this->assertRedirect($client->getResponse(), '/login');
+        $this->assertNull($cookieJar->get('REMEMBERME'));
+    }
+
+    public function testSessionLessRememberMeLogout()
+    {
+        $client = $this->createClient(['test_case' => 'RememberMe', 'root_config' => 'stateless_config.yml']);
+
+        $client->request('POST', '/login', [
+            '_username' => 'johannes',
+            '_password' => 'test',
+        ]);
+
+        $cookieJar = $client->getCookieJar();
+        $cookieJar->expire(session_name());
+
+        $this->assertNotNull($cookieJar->get('REMEMBERME'));
+        $this->assertSame('lax', $cookieJar->get('REMEMBERME')->getSameSite());
+
+        $client->request('GET', '/logout');
+        $this->assertSame(302, $client->getResponse()->getStatusCode(), 'Logout unsuccessful.');
+        $this->assertNull($cookieJar->get('REMEMBERME'));
     }
 
     /**
-     * @dataProvider provideRememberMeSystems
+     * @dataProvider provideLegacyConfigs
+     * @group legacy
      */
-    public function testRememberMe(array $options)
+    public function testLegacyRememberMe(array $options)
     {
         $client = $this->createClient(array_merge_recursive(['root_config' => 'config.yml', 'test_case' => 'RememberMe'], $options));
 
@@ -50,11 +108,11 @@ class RememberMeTest extends AbstractWebTestCase
     }
 
     /**
-     * @dataProvider provideSecuritySystems
+     * @group legacy
      */
-    public function testUserChangeClearsCookie(array $options)
+    public function testLegacyUserChangeClearsCookie()
     {
-        $client = $this->createClient(['test_case' => 'RememberMe', 'root_config' => 'clear_on_change_config.yml'] + $options);
+        $client = $this->createClient(['test_case' => 'RememberMe', 'root_config' => 'clear_on_change_config.yml']);
 
         $client->request('POST', '/login', [
             '_username' => 'johannes',
@@ -71,11 +129,11 @@ class RememberMeTest extends AbstractWebTestCase
     }
 
     /**
-     * @dataProvider provideSecuritySystems
+     * @group legacy
      */
-    public function testSessionLessRememberMeLogout(array $options)
+    public function testLegacySessionLessRememberMeLogout()
     {
-        $client = $this->createClient(['test_case' => 'RememberMe', 'root_config' => 'stateless_config.yml'] + $options);
+        $client = $this->createClient(['test_case' => 'RememberMe', 'root_config' => 'stateless_config.yml']);
 
         $client->request('POST', '/login', [
             '_username' => 'johannes',
@@ -92,4 +150,16 @@ class RememberMeTest extends AbstractWebTestCase
         $this->assertSame(302, $client->getResponse()->getStatusCode(), 'Logout unsuccessful.');
         $this->assertNull($cookieJar->get('REMEMBERME'));
     }
+
+    public function provideConfigs()
+    {
+        yield [['root_config' => 'config_session.yml']];
+        yield [['root_config' => 'config_persistent.yml']];
+    }
+
+    public function provideLegacyConfigs()
+    {
+        yield [['root_config' => 'legacy_config_session.yml']];
+        yield [['root_config' => 'legacy_config_persistent.yml']];
+    }
 }

src/Symfony/Bundle/SecurityBundle/Tests/Functional/SecurityRoutingIntegrationTest.php

@@ -120,24 +120,155 @@ class SecurityRoutingIntegrationTest extends AbstractWebTestCase
         $this->assertAllowed($allowedClient, '/protected-via-expression');
     }
 
-    /**
+    public function testInvalidIpsInAccessControl()
-     * @dataProvider provideSecuritySystems
-     */
-    public function testInvalidIpsInAccessControl(array $options)
     {
         $this->expectException(\LogicException::class);
         $this->expectExceptionMessage('The given value "256.357.458.559" in the "security.access_control" config option is not a valid IP address.');
 
-        $client = $this->createClient(['test_case' => 'StandardFormLogin', 'root_config' => 'invalid_ip_access_control.yml'] + $options);
+        $client = $this->createClient(['test_case' => 'StandardFormLogin', 'root_config' => 'invalid_ip_access_control.yml']);
+        $client->request('GET', '/unprotected_resource');
+    }
+
+    public function testPublicHomepage()
+    {
+        $client = $this->createClient(['test_case' => 'StandardFormLogin', 'root_config' => 'base_config.yml']);
+        $client->request('GET', '/en/');
+
+        $this->assertEquals(200, $client->getResponse()->getStatusCode(), (string) $client->getResponse());
+        $this->assertTrue($client->getResponse()->headers->getCacheControlDirective('public'));
+        $this->assertSame(0, self::getContainer()->get('session')->getUsageIndex());
+    }
+    /**
+     * @dataProvider provideLegacyClientOptions
+     * @group legacy
+     */
+    public function testLegacyRoutingErrorIsNotExposedForProtectedResourceWhenAnonymous(array $options)
+    {
+        $client = $this->createClient($options);
+        $client->request('GET', '/protected_resource');
+
+        $this->assertRedirect($client->getResponse(), '/login');
+    }
+
+    /**
+     * @dataProvider provideLegacyClientOptions
+     * @group legacy
+     */
+    public function testLegacyRoutingErrorIsExposedWhenNotProtected(array $options)
+    {
+        $client = $this->createClient($options);
+        $client->request('GET', '/unprotected_resource');
+
+        $this->assertEquals(404, $client->getResponse()->getStatusCode(), (string) $client->getResponse());
+    }
+
+    /**
+     * @dataProvider provideLegacyClientOptions
+     * @group legacy
+     */
+    public function testLegacyRoutingErrorIsNotExposedForProtectedResourceWhenLoggedInWithInsufficientRights(array $options)
+    {
+        $client = $this->createClient($options);
+
+        $form = $client->request('GET', '/login')->selectButton('login')->form();
+        $form['_username'] = 'johannes';
+        $form['_password'] = 'test';
+        $client->submit($form);
+
+        $client->request('GET', '/highly_protected_resource');
+
+        $this->assertNotEquals(404, $client->getResponse()->getStatusCode());
+    }
+
+    /**
+     * @group legacy
+     * @dataProvider provideLegacyClientOptions
+     */
+    public function testLegacySecurityConfigurationForSingleIPAddress(array $options)
+    {
+        $allowedClient = $this->createClient($options, ['REMOTE_ADDR' => '10.10.10.10']);
+
+        $this->ensureKernelShutdown();
+
+        $barredClient = $this->createClient($options, ['REMOTE_ADDR' => '10.10.20.10']);
+
+        $this->assertAllowed($allowedClient, '/secured-by-one-ip');
+        $this->assertRestricted($barredClient, '/secured-by-one-ip');
+    }
+
+    /**
+     * @group legacy
+     * @dataProvider provideLegacyClientOptions
+     */
+    public function testLegacySecurityConfigurationForMultipleIPAddresses(array $options)
+    {
+        $allowedClientA = $this->createClient($options, ['REMOTE_ADDR' => '1.1.1.1']);
+
+        $this->ensureKernelShutdown();
+
+        $allowedClientB = $this->createClient($options, ['REMOTE_ADDR' => '2.2.2.2']);
+
+        $this->ensureKernelShutdown();
+
+        $allowedClientC = $this->createClient($options, ['REMOTE_ADDR' => '203.0.113.0']);
+
+        $this->ensureKernelShutdown();
+
+        $barredClient = $this->createClient($options, ['REMOTE_ADDR' => '192.168.1.1']);
+
+        $this->assertAllowed($allowedClientA, '/secured-by-two-ips');
+        $this->assertAllowed($allowedClientB, '/secured-by-two-ips');
+
+        $this->assertRestricted($allowedClientA, '/secured-by-one-real-ip');
+        $this->assertRestricted($allowedClientA, '/secured-by-one-real-ipv6');
+        $this->assertAllowed($allowedClientC, '/secured-by-one-real-ip-with-mask');
+
+        $this->assertRestricted($barredClient, '/secured-by-two-ips');
+    }
+
+    /**
+     * @group legacy
+     * @dataProvider provideLegacyConfigs
+     */
+    public function testLegacySecurityConfigurationForExpression(array $options)
+    {
+        $allowedClient = $this->createClient($options, ['HTTP_USER_AGENT' => 'Firefox 1.0']);
+        $this->assertAllowed($allowedClient, '/protected-via-expression');
+        $this->ensureKernelShutdown();
+
+        $barredClient = $this->createClient($options, []);
+        $this->assertRestricted($barredClient, '/protected-via-expression');
+        $this->ensureKernelShutdown();
+
+        $allowedClient = $this->createClient($options, []);
+
+        $allowedClient->request('GET', '/protected-via-expression');
+        $form = $allowedClient->followRedirect()->selectButton('login')->form();
+        $form['_username'] = 'johannes';
+        $form['_password'] = 'test';
+        $allowedClient->submit($form);
+        $this->assertRedirect($allowedClient->getResponse(), '/protected-via-expression');
+        $this->assertAllowed($allowedClient, '/protected-via-expression');
+    }
+
+    /**
+     * @group legacy
+     */
+    public function testLegacyInvalidIpsInAccessControl()
+    {
+        $this->expectException(\LogicException::class);
+        $this->expectExceptionMessage('The given value "256.357.458.559" in the "security.access_control" config option is not a valid IP address.');
+
+        $client = $this->createClient(['test_case' => 'StandardFormLogin', 'root_config' => 'invalid_ip_access_control.yml', 'enable_authenticator_manager' => false]);
         $client->request('GET', '/unprotected_resource');
     }
 
     /**
-     * @dataProvider provideSecuritySystems
+     * @group legacy
      */
-    public function testPublicHomepage(array $options)
+    public function testLegacyPublicHomepage()
     {
-        $client = $this->createClient(['test_case' => 'StandardFormLogin', 'root_config' => 'config.yml'] + $options);
+        $client = $this->createClient(['test_case' => 'StandardFormLogin', 'root_config' => 'legacy_config.yml']);
         $client->request('GET', '/en/');
 
         $this->assertEquals(200, $client->getResponse()->getStatusCode(), (string) $client->getResponse());
@@ -159,13 +290,23 @@ class SecurityRoutingIntegrationTest extends AbstractWebTestCase
 
     public function provideClientOptions()
     {
-        yield [['test_case' => 'StandardFormLogin', 'root_config' => 'config.yml', 'enable_authenticator_manager' => true]];
+        yield [['test_case' => 'StandardFormLogin', 'root_config' => 'base_config.yml', 'enable_authenticator_manager' => true]];
-        yield [['test_case' => 'StandardFormLogin', 'root_config' => 'legacy_config.yml', 'enable_authenticator_manager' => false]];
+        yield [['test_case' => 'StandardFormLogin', 'root_config' => 'routes_as_path.yml', 'enable_authenticator_manager' => true]];
+    }
+
+    public function provideLegacyClientOptions()
+    {
+        yield [['test_case' => 'StandardFormLogin', 'root_config' => 'base_config.yml', 'enable_authenticator_manager' => true]];
         yield [['test_case' => 'StandardFormLogin', 'root_config' => 'routes_as_path.yml', 'enable_authenticator_manager' => true]];
-        yield [['test_case' => 'StandardFormLogin', 'root_config' => 'legacy_routes_as_path.yml', 'enable_authenticator_manager' => false]];
     }
 
     public function provideConfigs()
+    {
+        yield [['test_case' => 'StandardFormLogin', 'root_config' => 'base_config.yml']];
+        yield [['test_case' => 'StandardFormLogin', 'root_config' => 'routes_as_path.yml']];
+    }
+
+    public function provideLegacyConfigs()
     {
         yield [['test_case' => 'StandardFormLogin', 'root_config' => 'legacy_config.yml']];
         yield [['test_case' => 'StandardFormLogin', 'root_config' => 'legacy_routes_as_path.yml']];

src/Symfony/Bundle/SecurityBundle/Tests/Functional/SecurityTest.php

@@ -35,20 +35,6 @@ class SecurityTest extends AbstractWebTestCase
         $this->assertSame($token, $security->getToken());
     }
 
-    public function userWillBeMarkedAsChangedIfRolesHasChangedProvider()
-    {
-        return [
-            [
-                new InMemoryUser('user1', 'test', ['ROLE_ADMIN']),
-                new InMemoryUser('user1', 'test', ['ROLE_USER']),
-            ],
-            [
-                new UserWithoutEquatable('user1', 'test', ['ROLE_ADMIN']),
-                new UserWithoutEquatable('user1', 'test', ['ROLE_USER']),
-            ],
-        ];
-    }
-
     /**
      * @dataProvider userWillBeMarkedAsChangedIfRolesHasChangedProvider
      */
@@ -77,6 +63,69 @@ class SecurityTest extends AbstractWebTestCase
         $client->request('GET', '/admin');
         $this->assertEquals(302, $client->getResponse()->getStatusCode());
     }
+
+    /**
+     * @dataProvider userWillBeMarkedAsChangedIfRolesHasChangedProvider
+     * @group legacy
+     */
+    public function testLegacyUserWillBeMarkedAsChangedIfRolesHasChanged(UserInterface $userWithAdminRole, UserInterface $userWithoutAdminRole)
+    {
+        $client = $this->createClient(['test_case' => 'AbstractTokenCompareRoles', 'root_config' => 'legacy_config.yml']);
+        $client->disableReboot();
+
+        /** @var ArrayUserProvider $userProvider */
+        $userProvider = static::$kernel->getContainer()->get('security.user.provider.array');
+        $userProvider->addUser($userWithAdminRole);
+
+        $client->request('POST', '/login', [
+            '_username' => 'user1',
+            '_password' => 'test',
+        ]);
+
+        // user1 has ROLE_ADMIN and can visit secure page
+        $client->request('GET', '/admin');
+        $this->assertEquals(200, $client->getResponse()->getStatusCode());
+
+        // updating user provider with same user but revoked ROLE_ADMIN from user1
+        $userProvider->setUser('user1', $userWithoutAdminRole);
+
+        // user1 has lost ROLE_ADMIN and MUST be redirected away from secure page
+        $client->request('GET', '/admin');
+        $this->assertEquals(302, $client->getResponse()->getStatusCode());
+    }
+
+    /**
+     * @group legacy
+     */
+    public function testLegacyServiceIsFunctional()
+    {
+        $kernel = self::createKernel(['test_case' => 'SecurityHelper', 'root_config' => 'legacy_config.yml']);
+        $kernel->boot();
+        $container = $kernel->getContainer();
+
+        // put a token into the storage so the final calls can function
+        $user = new InMemoryUser('foo', 'pass');
+        $token = new UsernamePasswordToken($user, '', 'provider', ['ROLE_USER']);
+        $container->get('functional.test.security.token_storage')->setToken($token);
+
+        $security = $container->get('functional_test.security.helper');
+        $this->assertTrue($security->isGranted('ROLE_USER'));
+        $this->assertSame($token, $security->getToken());
+    }
+
+    public function userWillBeMarkedAsChangedIfRolesHasChangedProvider()
+    {
+        return [
+            [
+                new InMemoryUser('user1', 'test', ['ROLE_ADMIN']),
+                new InMemoryUser('user1', 'test', ['ROLE_USER']),
+            ],
+            [
+                new UserWithoutEquatable('user1', 'test', ['ROLE_ADMIN']),
+                new UserWithoutEquatable('user1', 'test', ['ROLE_USER']),
+            ],
+        ];
+    }
 }
 
 final class UserWithoutEquatable implements UserInterface, PasswordAuthenticatedUserInterface

src/Symfony/Bundle/SecurityBundle/Tests/Functional/SwitchUserTest.php

@@ -19,9 +19,22 @@ class SwitchUserTest extends AbstractWebTestCase
     /**
      * @dataProvider getTestParameters
      */
-    public function testSwitchUser($originalUser, $authenticatorManagerEnabled, $targetUser, $expectedUser, $expectedStatus)
+    public function testSwitchUser($originalUser, $targetUser, $expectedUser, $expectedStatus)
     {
-        $client = $this->createAuthenticatedClient($originalUser, ['enable_authenticator_manager' => $authenticatorManagerEnabled]);
+        $client = $this->createAuthenticatedClient($originalUser, ['root_config' => 'switchuser.yml']);
+
+        $client->request('GET', '/profile?_switch_user='.$targetUser);
+
+        $this->assertEquals($expectedStatus, $client->getResponse()->getStatusCode());
+        $this->assertEquals($expectedUser, $client->getProfile()->getCollector('security')->getUser());
+    }
+
+    /**
+     * @dataProvider getLegacyTestParameters
+     */
+    public function testLegacySwitchUser($originalUser, $targetUser, $expectedUser, $expectedStatus)
+    {
+        $client = $this->createAuthenticatedClient($originalUser, ['root_config' => 'legacy_switchuser.yml']);
 
         $client->request('GET', '/profile?_switch_user='.$targetUser);
 
@@ -75,14 +88,20 @@ class SwitchUserTest extends AbstractWebTestCase
     public function getTestParameters()
     {
         return [
-            'unauthorized_user_cannot_switch' => ['user_cannot_switch_1', true, 'user_cannot_switch_1', 'user_cannot_switch_1', 403],
+            'unauthorized_user_cannot_switch' => ['user_cannot_switch_1', 'user_cannot_switch_1', 'user_cannot_switch_1', 403],
-            'legacy_unauthorized_user_cannot_switch' => ['user_cannot_switch_1', false, 'user_cannot_switch_1', 'user_cannot_switch_1', 403],
+            'authorized_user_can_switch' => ['user_can_switch', 'user_cannot_switch_1', 'user_cannot_switch_1', 200],
-            'authorized_user_can_switch' => ['user_can_switch', true, 'user_cannot_switch_1', 'user_cannot_switch_1', 200],
+            'authorized_user_cannot_switch_to_non_existent' => ['user_can_switch', 'user_does_not_exist', 'user_can_switch', 403],
-            'legacy_authorized_user_can_switch' => ['user_can_switch', false, 'user_cannot_switch_1', 'user_cannot_switch_1', 200],
+            'authorized_user_can_switch_to_himself' => ['user_can_switch', 'user_can_switch', 'user_can_switch', 200],
-            'authorized_user_cannot_switch_to_non_existent' => ['user_can_switch', true, 'user_does_not_exist', 'user_can_switch', 403],
+        ];
-            'legacy_authorized_user_cannot_switch_to_non_existent' => ['user_can_switch', false, 'user_does_not_exist', 'user_can_switch', 403],
+    }
-            'authorized_user_can_switch_to_himself' => ['user_can_switch', true, 'user_can_switch', 'user_can_switch', 200],
+
-            'legacy_authorized_user_can_switch_to_himself' => ['user_can_switch', false, 'user_can_switch', 'user_can_switch', 200],
+    public function getLegacyTestParameters()
+    {
+        return [
+            'legacy_unauthorized_user_cannot_switch' => ['user_cannot_switch_1', 'user_cannot_switch_1', 'user_cannot_switch_1', 403],
+            'legacy_authorized_user_can_switch' => ['user_can_switch', 'user_cannot_switch_1', 'user_cannot_switch_1', 200],
+            'legacy_authorized_user_cannot_switch_to_non_existent' => ['user_can_switch', 'user_does_not_exist', 'user_can_switch', 403],
+            'legacy_authorized_user_can_switch_to_himself' => ['user_can_switch', 'user_can_switch', 'user_can_switch', 200],
         ];
     }
 

src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/AbstractTokenCompareRoles/config.yml

@@ -8,6 +8,7 @@ services:
     class: Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\SecuredPageBundle\Security\Core\User\ArrayUserProvider
 
 security:
+  enable_authenticator_manager: true
 
   password_hashers:
     \Symfony\Component\Security\Core\User\UserInterface: plaintext
@@ -23,7 +24,6 @@ security:
         remember_me: true
         require_previous_session: false
       logout: ~
-      anonymous: ~
       stateless: false
 
   access_control:

src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/AbstractTokenCompareRoles/legacy_config.yml

@@ -0,0 +1,30 @@
+imports:
+  - { resource: ./../config/framework.yml }
+
+services:
+  _defaults: { public: true }
+
+  security.user.provider.array:
+    class: Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\SecuredPageBundle\Security\Core\User\ArrayUserProvider
+
+security:
+  password_hashers:
+    \Symfony\Component\Security\Core\User\UserInterface: plaintext
+
+  providers:
+    array:
+      id: security.user.provider.array
+
+  firewalls:
+    default:
+      form_login:
+        check_path: login
+        remember_me: true
+        require_previous_session: false
+      logout: ~
+      stateless: false
+
+  access_control:
+    - { path: ^/admin$, roles: ROLE_ADMIN }
+    - { path: ^/login$, roles: IS_AUTHENTICATED_ANONYMOUSLY }
+    - { path: .*, roles: IS_AUTHENTICATED_FULLY }

src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/Authenticator/firewall_user_provider.yml

@@ -3,6 +3,7 @@ imports:
 - { resource: ./security.yml }
 
 security:
+    enable_authenticator_manager: true
     firewalls:
         api:
             pattern: /

src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/Authenticator/implicit_user_provider.yml

@@ -3,6 +3,7 @@ imports:
 - { resource: ./security.yml }
 
 security:
+    enable_authenticator_manager: true
     firewalls:
         api:
             pattern: /

src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/AutowiringTypes/config.yml

@@ -7,6 +7,7 @@ services:
         class: Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\AutowiringBundle\AutowiredServices
         autowire: true
 security:
+    enable_authenticator_manager: true
     providers:
         dummy:
             memory: ~

src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/AutowiringTypes/legacy_config.yml

@@ -0,0 +1,15 @@
+imports:
+    - { resource: ../config/framework.yml }
+
+services:
+    _defaults: { public: true }
+    test.autowiring_types.autowired_services:
+        class: Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\AutowiringBundle\AutowiredServices
+        autowire: true
+security:
+    providers:
+        dummy:
+            memory: ~
+    firewalls:
+        dummy:
+            security: false

src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/CsrfFormLogin/base_config.yml

@@ -15,6 +15,7 @@ services:
             - { name: container.service_subscriber }
 
 security:
+    enable_authenticator_manager: true
     password_hashers:
         Symfony\Component\Security\Core\User\InMemoryUser: plaintext
 

src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/CsrfFormLogin/config.yml

@@ -2,6 +2,7 @@ imports:
     - { resource: ./base_config.yml }
 
 security:
+    enable_authenticator_manager: true
     firewalls:
         default:
             form_login:

src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/CsrfFormLogin/legacy_base_config.yml

@@ -0,0 +1,49 @@
+imports:
+    - { resource: ./../config/default.yml }
+
+services:
+    csrf_form_login.form.type:
+        class: Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\CsrfFormLoginBundle\Form\UserLoginType
+        arguments:
+            - '@request_stack'
+        tags:
+            - { name: form.type }
+
+    Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\CsrfFormLoginBundle\Controller\LoginController:
+        public: true
+        tags:
+            - { name: container.service_subscriber }
+
+security:
+    password_hashers:
+        Symfony\Component\Security\Core\User\InMemoryUser: plaintext
+
+    providers:
+        in_memory:
+            memory:
+                users:
+                    johannes: { password: test, roles: [ROLE_USER] }
+
+    firewalls:
+        # This firewall doesn't make sense in combination with the rest of the
+        # configuration file, but it's here for testing purposes (do not use
+        # this file in a real world scenario though)
+        login_form:
+            pattern: ^/login$
+            security: false
+
+        default:
+            form_login:
+                check_path: /login_check
+                default_target_path: /profile
+                target_path_parameter: "user_login[_target_path]"
+                failure_path_parameter: "user_login[_failure_path]"
+                username_parameter: "user_login[username]"
+                password_parameter: "user_login[password]"
+            logout:
+                path: /logout_path
+                target: /
+                csrf_token_generator: security.csrf.token_manager
+
+    access_control:
+        - { path: .*, roles: IS_AUTHENTICATED_FULLY }

src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/CsrfFormLogin/legacy_config.yml

@@ -1,5 +1,5 @@
 imports:
-    - { resource: ./base_config.yml }
+    - { resource: ./legacy_base_config.yml }
 
 security:
   firewalls: