[Security] Let security factories add firewall listeners #37336
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
wouterj
approved these changes
Jun 18, 2020
There was a problem hiding this comment.
As I've already noted somewhere in an issue on your bundle, I'm 👍 for this change.
For reference, the benefits of a firewall listener vs a normal request listener:
- It's only executed for requests inside the firewall (no need to do the matching again yourself)
- It allows to be executed lazily in lazy firewalls
985c190 to
e5e95a5
Compare
|
Question on naming: Should we call it "firewall listener" or should we rather go with "authentication listener"? These listeners are not necessarily doing authentication, that's why I went with "firewall listener", because it's a listener executed in the firewall. Build is green, so I remove the draft state now. |
|
Firewall listener sounds good to me. Can you update the CHANGELOG? |
e5e95a5 to
0a4fcea
Compare
chalasr
approved these changes
Jun 19, 2020
fabpot
approved these changes
Jun 20, 2020
|
Thank you @scheb. |
|
Thanks @scheb for the nice brainstorming and ideas. Congratz on getting your first feature PR merged! |
fabpot
added a commit
that referenced
this pull request
Sep 2, 2020
…isteners (scheb) This PR was merged into the 5.2-dev branch. Discussion ---------- [Security] Configurable execution order for firewall listeners | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | yes | Deprecations? | no | License | MIT | Doc PR | n/a Hello there, I'm the author of `scheb/two-factor-bundle`, which extends Symfony's security layer with two-factor authentication. I've been closely following the recent changes by @wouterj to rework the security layer with "authenticators" (great work!). While I managed to make my bundle work with authenticators, I see some limitations in the security layer that I'd like to address to make such extensions easier to implement. In #37336 I've submitted a draft to let security factories add their own authentication listeners to the firewall. This PR is intended to address the issue of execution order. If you look at the `Firewall` class https://github.com/symfony/symfony/blob/f64f59a9c0d92fdd65f9de3e44b612402b224aaf/src/Symfony/Component/Security/Http/Firewall.php#L62-L82 authentication listeners are executed in the order of their creation. Additionally, there's hardcoded logic to execute `Symfony\Component\Security\Http\Firewall\AccessListener` always last and the logout listener second to last. I'd like to have a more flexible approach, to remove the hardcoded order and give authentication listeners the ability to determine their execution order. I've added an optional interface to provide a priority to sort all registered authenitication listeners. Sorting is done in a compiler pass, so no time is wasted at runtime. This is a draft, so I'd like to hear your opinion on this :) Commits ------- 91388e8 Add ability to prioritize firewall listeners
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Hello there, I'm the author of
scheb/two-factor-bundle, which extends Symfony's security layer with two-factor authentication. I've been closely following the recent changes by @wouterj to rework the security layer with "authenticators" (great work!). While I managed to make my bundle work with authenticators, I see some limitations in the security layer that I'd like to address to make such extensions easier to implement.With the new authenticator-based security system, it is no longer possible to add a authentication listener to the firewall. The only way to do it is a dirty compiler pass, which extends the argument on the
security.firewall.map.context.[firewallName]service (like I do in: https://github.com/scheb/2fa/blob/ed2ce9804b6a78fe539894e77038ab96a52f5c56/src/bundle/DependencyInjection/Compiler/AccessListenerCompilerPass.php). This is quite ugly and hacky, so I believe there should be an easier and clean way to add firewall-level listeners. This PR adds an interface, which may be implemented by security factories and lets them add additional listeners to the firewall.Why would you want to do that? There are certain use-cases that require extra logic to handle a request within the firewall. For example in my bundle, I need to handle the intermediate state between login and the completion of two-factor authentication. So ideally, I'm able to execute some code from the firewall right before
Symfony\Component\Security\Http\Firewall\AccessListener. In the old security system, I could handle this in my authentication listener, which I had to implement anyways. With the new authenticator-based system this option is gone. In the ideal world, I could add a firewall listener and tell it to execute betweenLogoutListenerandAccessListener.This is a draft, so I'd like to hear your opinion on this :)
There's another issue, regarding the order of execution, which I'm addressing with #37337.