5.6 KiB
CHANGELOG
3.4.0
- Added new
security.helper
service that is an instance ofSymfony\Component\Security\Core\Security
and provides shortcuts for common security tasks. - Tagging voters with the
security.voter
tag without implementing theVoterInterface
on the class is now deprecated and will be removed in 4.0. - [BC BREAK]
FirewallContext::getListeners()
now returns\Traversable|array
- added info about called security listeners in profiler
- Added
logout_on_user_change
to the firewall options. This config item will trigger a logout when the user has changed. Should be set to true to avoid deprecations in the configuration. - deprecated HTTP digest authentication
- deprecated command
acl:set
along withSetAclCommand
class - deprecated command
init:acl
along withInitAclCommand
class - Added support for the new Argon2i password encoder
- added
stateless
option to theswitch_user
listener - deprecated auto picking the first registered provider when no configured provider on a firewall and ambiguous
3.3.0
- Deprecated instantiating
UserPasswordEncoderCommand
without its constructor arguments fully provided. - Deprecated
UserPasswordEncoderCommand::getContainer()
and relying on theContainerAwareCommand
sub class orContainerAwareInterface
implementation for this command. - Deprecated the
FirewallMap::$map
and$container
properties. - [BC BREAK] Keys of the
users
node forin_memory
user provider are no longer normalized. - deprecated
FirewallContext::getListeners()
3.2.0
- Added the
SecurityUserValueResolver
to inject the security users in actions viaSymfony\Component\Security\Core\User\UserInterface
in the method signature.
3.0.0
- Removed the
security.context
service.
2.8.0
- deprecated the
key
setting ofanonymous
,remember_me
andhttp_digest
in favor of thesecret
setting. - deprecated the
intention
firewall listener setting in favor of thecsrf_token_id
.
2.6.0
- Added the possibility to override the default success/failure handler to get the provider key and the options injected
- Deprecated the
security.context
service for thesecurity.token_storage
andsecurity.authorization_checker
services.
2.4.0
- Added 'host' option to firewall configuration
- Added 'csrf_token_generator' and 'csrf_token_id' options to firewall logout listener configuration to supersede/alias 'csrf_provider' and 'intention' respectively
- Moved 'security.secure_random' service configuration to FrameworkBundle
2.3.0
- allowed for multiple IP address in security access_control rules
2.2.0
- Added PBKDF2 Password encoder
- Added BCrypt password encoder
2.1.0
-
[BC BREAK] The custom factories for the firewall configuration are now registered during the build method of bundles instead of being registered by the end-user (you need to remove the 'factories' keys in your security configuration).
-
[BC BREAK] The Firewall listener is now registered after the Router one. This means that specific Firewall URLs (like /login_check and /logout must now have proper route defined in your routing configuration)
-
[BC BREAK] refactored the user provider configuration. The configuration changed for the chain provider and the memory provider:
Before:
security: providers: my_chain_provider: providers: [my_memory_provider, my_doctrine_provider] my_memory_provider: users: toto: { password: foobar, roles: [ROLE_USER] } foo: { password: bar, roles: [ROLE_USER, ROLE_ADMIN] }
After:
security: providers: my_chain_provider: chain: providers: [my_memory_provider, my_doctrine_provider] my_memory_provider: memory: users: toto: { password: foobar, roles: [ROLE_USER] } foo: { password: bar, roles: [ROLE_USER, ROLE_ADMIN] }
-
[BC BREAK] Method
equals
was removed fromUserInterface
to its own newEquatableInterface
. The user class can now implement this interface to override the default implementation of users equality test. -
added a validator for the user password
-
added 'erase_credentials' as a configuration key (true by default)
-
added new events:
security.authentication.success
andsecurity.authentication.failure
fired on authentication success/failure, regardless of authentication method, events are defined in new event class:Symfony\Component\Security\Core\AuthenticationEvents
. -
Added optional CSRF protection to LogoutListener:
security: firewalls: default: logout: path: /logout_path target: / csrf_parameter: _csrf_token # Optional (defaults to "_csrf_token") csrf_provider: security.csrf.token_generator # Required to enable protection intention: logout # Optional (defaults to "logout")
If the LogoutListener has CSRF protection enabled but cannot validate a token, then a LogoutException will be thrown.
-
Added
logout_url
templating helper and Twig extension, which may be used to generate logout URL's within templates. The security firewall's config key must be specified. If a firewall's logout listener has CSRF protection enabled, a token will be automatically added to the generated URL.