New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] Make firewall more extensible #22260
Comments
…rity, functional test. Refs symfony#22260
…rity, functional test. Refs symfony#22260
What's your use-case? Reading your PR, I think it's good to have the |
@iltar Can you clarify "couple some logic"? I think the firewall is an excellent place to hook in some request-based authorization, and in fact that is exactly what |
You're coupling authorization logic to authentication. The firewall is only authentication. You're coupling authorization logic with authentication.
What's something custom that's not possible with access_control? |
Uhm no, that is simply not true. Authorization of requests is handled by the firewall as well, not to mention some other stuff like impersonation and identity persistence across requests. |
In your PR you call it the The firewall has some options that are related to authorization, like access denied handlers, which can be used to re-authenticate as someone who does have enough access. What I see here, is a PR that adds authorization to the authentication configuration. Now my question still stands:
Maybe there's another solution. |
Correct, that is in an example of doing something "post-authentication", in this case specifically, authorization. I think I understand what you mean now, when you say "the firewall", you mean the firewalls as represented in the user configuration? What I mean when I say "the firewall" is the actual firewall object and its listeners. That PR is just some low hanging fruit, really the whole As far as the configuration goes, I don't think it is a "bad thing" to expose config options for a factual (code-wise) situation. Especially since writing these kinds of plugins would require a pretty intimate knowledge of how the firewall actually works and thus fall in the "advanced use" category. And I realize using Bottom line is, there is too much hardwired stuff in the listener chain in the firewall. I don't mean to be negative about it, I'm trying to do something about it :) |
Actually, I think that http://symfony.com/doc/current/security/user_checkers.html I fully agree with refactor you did for the
The access denied handler is triggered upon throwing an http://symfony.com/doc/current/security/access_denied_handler.html
Trying is always a good thing. For your PR, I would personally split the authorization (or post auth listener) from the |
I don't agree (obviously :P) but if that is what it takes to get the PR merged I will make the adjustments and probably submit a PR with more extensive improvements later. |
Refactoring all the listeners to use factories and sorting positions is even more involved than I already suspected. But I am willing to do it, if there's interest. |
As long as you are only interested in authentication, adding behavior to the firewall works fine. But if you need your listener to be executed after the
AnonymousAuthenticationListener
, you're gonna get a cold shower.What would be needed is new items in
SecurityExtension::$listenerPositions
for the listeners that are now added without using that (I counted 3 real quick), add all the listeners in a single loop. Then it would also be nice to allow NULL for the first value in the tuple returned bySecurityFactoryInterface::create()
, I now have to work around that by using a provider that always returns FALSE whensupport()
is invoked because it actually is interpreted as a service ID of "" (which could also be considered a bug).I'll gladly cook up a PR if it has any chance of getting merged.
The text was updated successfully, but these errors were encountered: