symfony · nicolas-grekas · Jun 24, 2025 · Jun 23, 2025
diff --git a/UPGRADE-8.0.md b/UPGRADE-8.0.md
@@ -326,6 +326,10 @@ Security
   +}
   ```
 
+ * Remove callable firewall listeners support, extend `AbstractListener` or implement `FirewallListenerInterface` instead
+ * Remove `AbstractListener::__invoke`
+ * Remove `LazyFirewallContext::__invoke()`
+
 Serializer
 ----------
 

@@ -1,6 +1,11 @@
 CHANGELOG
 =========
 
+8.0
+---
+
+ * Remove `LazyFirewallContext::__invoke()`
+
 7.4
 ---
 

@@ -16,8 +16,6 @@
 use Symfony\Bundle\SecurityBundle\Security\LazyFirewallContext;
 use Symfony\Component\HttpKernel\Event\RequestEvent;
 use Symfony\Component\Security\Http\Authenticator\Debug\TraceableAuthenticatorManagerListener;
-use Symfony\Component\Security\Http\Firewall\AbstractListener;
-use Symfony\Component\Security\Http\Firewall\FirewallListenerInterface;
 use Symfony\Contracts\Service\ResetInterface;
 
 /**
@@ -33,7 +31,7 @@ final class TraceableFirewallListener extends FirewallListener implements ResetI
     public function getWrappedListeners(): array
     {
         return array_map(
-            static fn (WrappedListener|WrappedLazyListener $listener) => $listener->getInfo(),
+            static fn (WrappedLazyListener $listener) => $listener->getInfo(),
             $this->wrappedListeners
         );
     }
@@ -62,10 +60,7 @@ protected function callListeners(RequestEvent $event, iterable $listeners): void
                         if ($listener instanceof TraceableAuthenticatorManagerListener) {
                             $contextAuthenticatorManagerListener ??= $listener;
                         }
-                        $contextWrappedListeners[] = $listener instanceof FirewallListenerInterface
-                            ? new WrappedLazyListener($listener)
-                            : new WrappedListener($listener)
-                        ;
+                        $contextWrappedListeners[] = new WrappedLazyListener($listener);
                     }
                     $this->listeners = $contextWrappedListeners;
                 }, $listener, FirewallContext::class)();
@@ -78,23 +73,20 @@ protected function callListeners(RequestEvent $event, iterable $listeners): void
                 if ($listener instanceof TraceableAuthenticatorManagerListener) {
                     $this->authenticatorManagerListener ??= $listener;
                 }
-                $wrappedListener = $listener instanceof FirewallListenerInterface
-                    ? new WrappedLazyListener($listener)
-                    : new WrappedListener($listener)
-                ;
+                $wrappedListener = new WrappedLazyListener($listener);
                 $this->wrappedListeners[] = $wrappedListener;
 
                 $requestListeners[] = $wrappedListener;
             }
         }
 
         foreach ($requestListeners as $listener) {
-            if (!$listener instanceof FirewallListenerInterface) {
-                $listener($event);
-            } elseif (false !== $listener->supports($event->getRequest())) {
-                $listener->authenticate($event);
+            if (false === $listener->supports($event->getRequest())) {
+                continue;
             }
 
+            $listener->authenticate($event);
+
             if ($event->hasResponse()) {
                 break;
             }

@@ -12,10 +12,13 @@
 namespace Symfony\Bundle\SecurityBundle\Debug;
 
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpKernel\Event\RequestEvent;
 use Symfony\Component\Security\Core\Exception\LazyResponseException;
+use Symfony\Component\Security\Http\Authenticator\Debug\TraceableAuthenticatorManagerListener;
 use Symfony\Component\Security\Http\Firewall\AbstractListener;
 use Symfony\Component\Security\Http\Firewall\FirewallListenerInterface;
+use Symfony\Component\VarDumper\Caster\ClassStub;
 
 /**
  * Wraps a lazy security listener.
@@ -26,7 +29,10 @@
  */
 final class WrappedLazyListener extends AbstractListener
 {
-    use TraceableListenerTrait;
+    private ?Response $response = null;
+    private FirewallListenerInterface $listener;
+    private ?float $time = null;
+    private ClassStub $stub;
 
     public function __construct(FirewallListenerInterface $listener)
     {
@@ -54,4 +60,21 @@ public function authenticate(RequestEvent $event): void
 
         $this->response = $event->getResponse();
     }
+
+    public function getInfo(): array
+    {
+        return [
+            'response' => $this->response,
+            'time' => $this->time,
+            'stub' => $this->stub ??= new ClassStub($this->listener instanceof TraceableAuthenticatorManagerListener ? $this->listener->getAuthenticatorManagerListener()::class : $this->listener::class),
+        ];
+    }
+
+    /**
+     * Proxies all method calls to the original listener.
+     */
+    public function __call(string $method, array $arguments): mixed
+    {
+        return $this->listener->{$method}(...$arguments);
+    }
 }
@@ -24,7 +24,7 @@
 class FirewallContext
 {
     /**
-     * @param iterable<mixed, callable> $listeners
+     * @param iterable<mixed, FirewallListenerInterface> $listeners
      */
     public function __construct(
         private iterable $listeners,
@@ -40,7 +40,7 @@ public function getConfig(): ?FirewallConfig
     }
 
     /**
-     * @return iterable<mixed, FirewallListenerInterface|callable>
+     * @return iterable<mixed, FirewallListenerInterface>
      */
     public function getListeners(): iterable
     {

@@ -15,7 +15,6 @@
 use Symfony\Component\HttpKernel\Event\RequestEvent;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
 use Symfony\Component\Security\Http\Event\LazyResponseEvent;
-use Symfony\Component\Security\Http\Firewall\AbstractListener;
 use Symfony\Component\Security\Http\Firewall\ExceptionListener;
 use Symfony\Component\Security\Http\Firewall\FirewallListenerInterface;
 use Symfony\Component\Security\Http\Firewall\LogoutListener;
@@ -54,20 +53,15 @@ public function authenticate(RequestEvent $event): void
         $lazy = $request->isMethodCacheable();
 
         foreach (parent::getListeners() as $listener) {
-            if (!$listener instanceof FirewallListenerInterface) {
-                trigger_deprecation('symfony/security-http', '7.4', 'Using a callable as firewall listener is deprecated, extend "%s" or implement "%s" instead.', AbstractListener::class, FirewallListenerInterface::class);
-
+            if (false !== $supports = $listener->supports($request)) {
                 $listeners[] = $listener;
-                $lazy = false;
-            } elseif (false !== $supports = $listener->supports($request)) {
-                $listeners[] = [$listener, 'authenticate'];
                 $lazy = $lazy && null === $supports;
             }
         }
 
         if (!$lazy) {
             foreach ($listeners as $listener) {
-                $listener($event);
+                $listener->authenticate($event);
 
                 if ($event->hasResponse()) {
                     return;
@@ -80,7 +74,7 @@ public function authenticate(RequestEvent $event): void
         $this->tokenStorage->setInitializer(function () use ($event, $listeners) {
             $event = new LazyResponseEvent($event);
             foreach ($listeners as $listener) {
-                $listener($event);
+                $listener->authenticate($event);
             }
         });
     }
@@ -89,14 +83,4 @@ public static function getPriority(): int
     {
         return 0;
     }
-
-    /**
-     * @deprecated since Symfony 7.4, to be removed in 8.0
-     */
-    public function __invoke(RequestEvent $event): void
-    {
-        trigger_deprecation('symfony/security-bundle', '7.4', 'The "%s()" method is deprecated since Symfony 7.4 and will be removed in 8.0.', __METHOD__);
-
-        $this->authenticate($event);
-    }
 }
@@ -33,6 +33,7 @@
 use Symfony\Component\Security\Http\Firewall\AuthenticatorManagerListener;
 use Symfony\Component\Security\Http\Firewall\FirewallListenerInterface;
 use Symfony\Component\Security\Http\Logout\LogoutUrlGenerator;
+use Symfony\Component\VarDumper\Caster\ClassStub;
 
 /**
  * @group time-sensitive
@@ -75,7 +76,8 @@ public function authenticate(RequestEvent $event): void
 
         $listeners = $firewall->getWrappedListeners();
         $this->assertCount(1, $listeners);
-        $this->assertSame($listener, $listeners[0]['stub']);
+        $this->assertInstanceOf(ClassStub::class, $listeners[0]['stub']);
+        $this->assertSame((string) new ClassStub($listener::class), (string) $listeners[0]['stub']);
     }
 
     public function testOnKernelRequestRecordsAuthenticatorsInfo()

@@ -22,7 +22,6 @@
         "symfony/clock": "^7.4|^8.0",
         "symfony/config": "^7.4|^8.0",
         "symfony/dependency-injection": "^7.4|^8.0",
-        "symfony/deprecation-contracts": "^2.5|^3",
         "symfony/event-dispatcher": "^7.4|^8.0",
         "symfony/http-kernel": "^7.4|^8.0",
         "symfony/http-foundation": "^7.4|^8.0",

@@ -1,6 +1,12 @@
 CHANGELOG
 =========
 
+8.0
+---
+
+ * Remove callable firewall listeners support, extend `AbstractListener` or implement `FirewallListenerInterface` instead
+ * Remove `AbstractListener::__invoke`
+
 7.4
 ---
 

@@ -16,9 +16,7 @@
 use Symfony\Component\HttpKernel\Event\FinishRequestEvent;
 use Symfony\Component\HttpKernel\Event\RequestEvent;
 use Symfony\Component\HttpKernel\KernelEvents;
-use Symfony\Component\Security\Http\Firewall\AbstractListener;
 use Symfony\Component\Security\Http\Firewall\ExceptionListener;
-use Symfony\Component\Security\Http\Firewall\FirewallListenerInterface;
 use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
 
 /**
@@ -66,14 +64,12 @@ public function onKernelRequest(RequestEvent $event): void
         // Authentication listeners are pre-sorted by SortFirewallListenersPass
         $authenticationListeners = function () use ($authenticationListeners, $logoutListener) {
             if (null !== $logoutListener) {
-                $logoutListenerPriority = $this->getListenerPriority($logoutListener);
+                $logoutListenerPriority = $logoutListener::getPriority();
             }
 
             foreach ($authenticationListeners as $listener) {
-                $listenerPriority = $this->getListenerPriority($listener);
-
                 // Yielding the LogoutListener at the correct position
-                if (null !== $logoutListener && $listenerPriority < $logoutListenerPriority) {
+                if (null !== $logoutListener && $listener::getPriority() < $logoutListenerPriority) {
                     yield $logoutListener;
                     $logoutListener = null;
                 }
@@ -111,22 +107,15 @@ public static function getSubscribedEvents(): array
     protected function callListeners(RequestEvent $event, iterable $listeners): void
     {
         foreach ($listeners as $listener) {
-            if (!$listener instanceof FirewallListenerInterface) {
-                trigger_deprecation('symfony/security-http', '7.4', 'Using a callable as firewall listener is deprecated, extend "%s" or implement "%s" instead.', AbstractListener::class, FirewallListenerInterface::class);
-
-                $listener($event);
-            } elseif (false !== $listener->supports($event->getRequest())) {
-                $listener->authenticate($event);
+            if (false === $listener->supports($event->getRequest())) {
+                continue;
             }
 
+            $listener->authenticate($event);
+
             if ($event->hasResponse()) {
                 break;
             }
         }
     }
-
-    private function getListenerPriority(object $listener): int
-    {
-        return $listener instanceof FirewallListenerInterface ? $listener->getPriority() : 0;
-    }
 }