Merge branch '5.4' into 6.0

javiereguiluz · javiereguiluz · commit 2fcba90b7ca8 · 2022-11-18T16:41:52.000+01:00
* 5.4:
  [Security] Add form_only option
diff --git a/reference/configuration/security.rst b/reference/configuration/security.rst
@@ -332,6 +332,21 @@ failure_path
 This is the route or path that the user is redirected to after a failed login attempt.
 It can be a relative/absolute URL or a Symfony route name.
 
+form_only
+.........
+
+**type**: ``boolean`` **default**: ``false``
+
+Set this option to ``true`` to require that the login data is sent using a form
+(it checks that the request content-type is ``application/x-www-form-urlencoded``).
+This is useful for example to prevent the :ref:`form login authenticator <security-form-login>`
+from responding to requests that should be handled by the
+:ref:`JSON login authenticator <security-json-login>`.
+
+.. versionadded:: 5.4
+
+    The ``form_only`` option was introduced in Symfony 5.4.
+
 use_forward
 ...........
 
diff --git a/security.rst b/security.rst
@@ -919,6 +919,8 @@ After this, you have protected your login form against CSRF attacks.
     the token ID by setting  ``csrf_token_id`` in your configuration. See
     :ref:`reference-security-firewall-form-login` for more details.
 
+.. _security-json-login:
+
 JSON Login
 ~~~~~~~~~~
 
