symfony

Archived

This repository has been archived on 2023-08-20. You can view files and clone it, but cannot push or open issues or pull requests.

History

Fabien Potencier 0fa01aeda1 feature #37336 [Security] Let security factories add firewall listeners (scheb) This PR was merged into the 5.2-dev branch. Discussion ---------- [Security] Let security factories add firewall listeners \| Q \| A \| ------------- \| --- \| Branch? \| master \| Bug fix? \| no \| New feature? \| yes \| Deprecations? \| no \| License \| MIT \| Doc PR \| n/a Hello there, I'm the author of `scheb/two-factor-bundle`, which extends Symfony's security layer with two-factor authentication. I've been closely following the recent changes by @wouterj to rework the security layer with "authenticators" (great work!). While I managed to make my bundle work with authenticators, I see some limitations in the security layer that I'd like to address to make such extensions easier to implement. With the new authenticator-based security system, it is no longer possible to add a authentication listener to the firewall. The only way to do it is a dirty compiler pass, which extends the argument on the `security.firewall.map.context.[firewallName]` service (like I do in: `ed2ce9804b/src/bundle/DependencyInjection/Compiler/AccessListenerCompilerPass.php`). This is quite ugly and hacky, so I believe there should be an easier and clean way to add firewall-level listeners. This PR adds an interface, which may be implemented by security factories and lets them add additional listeners to the firewall. Why would you want to do that? There are certain use-cases that require extra logic to handle a request within the firewall. For example in my bundle, I need to handle the intermediate state between login and the completion of two-factor authentication. So ideally, I'm able to execute some code from the firewall right before `Symfony\Component\Security\Http\Firewall\AccessListener`. In the old security system, I could handle this in my authentication listener, which I had to implement anyways. With the new authenticator-based system this option is gone. In the ideal world, I could add a firewall listener and tell it to execute between `LogoutListener` and `AccessListener`. This is a draft, so I'd like to hear your opinion on this :) There's another issue, regarding the order of execution, which I'm addressing with #37337. Commits ------- `0a4fcea8db` Add interface to let security factories add their own firewall listeners	2020-06-20 17:05:14 +02:00
..
Symfony	feature #37336 [Security] Let security factories add firewall listeners (scheb)	2020-06-20 17:05:14 +02:00

Fabien Potencier 0fa01aeda1 feature #37336 [Security] Let security factories add firewall listeners (scheb)

This PR was merged into the 5.2-dev branch.

Discussion
----------

[Security] Let security factories add firewall listeners

| Q             | A
| ------------- | ---
| Branch?       | master
| Bug fix?      | no
| New feature?  | yes
| Deprecations? | no
| License       | MIT
| Doc PR        | n/a

Hello there, I'm the author of `scheb/two-factor-bundle`, which extends Symfony's security layer with two-factor authentication. I've been closely following the recent changes by @wouterj to rework the security layer with "authenticators" (great work!). While I managed to make my bundle work with authenticators, I see some limitations in the security layer that I'd like to address to make such extensions easier to implement.

With the new authenticator-based security system, it is no longer possible to add a authentication listener to the firewall. The only way to do it is a dirty compiler pass, which extends the argument on the `security.firewall.map.context.[firewallName]` service (like I do in: ed2ce9804b/src/bundle/DependencyInjection/Compiler/AccessListenerCompilerPass.php). This is quite ugly and hacky, so I believe there should be an easier and clean way to add firewall-level listeners. This PR adds an interface, which may be implemented by security factories and lets them add additional listeners to the firewall.

Why would you want to do that? There are certain use-cases that require extra logic to handle a request within the firewall. For example in my bundle, I need to handle the intermediate state between login and the completion of two-factor authentication. So ideally, I'm able to execute some code from the firewall right before `Symfony\Component\Security\Http\Firewall\AccessListener`. In the old security system, I could handle this in my authentication listener, which I had to implement anyways. With the new authenticator-based system this option is gone. In the ideal world, I could add a firewall listener and tell it to execute between `LogoutListener` and `AccessListener`.

This is a draft, so I'd like to hear your opinion on this :)

There's another issue, regarding the order of execution, which I'm addressing with #37337.

Commits
-------

0a4fcea8db Add interface to let security factories add their own firewall listeners

2020-06-20 17:05:14 +02:00

Symfony feature #37336 [Security] Let security factories add firewall listeners (scheb) 2020-06-20 17:05:14 +02:00