mydevel/webroot

Fork 0

Christian Moser 732a826cc6 2024.12.01 20:57:28

2024-12-01 20:57:32 +01:00

17 KiB

Raw Blame History

CHANGELOG

6.4

Deprecate Security::ACCESS_DENIED_ERROR, AUTHENTICATION_ERROR and LAST_USERNAME constants, use the ones on SecurityRequestAttributes instead
Allow an array of pattern in firewall configuration
Add $badges argument to Security::login
Deprecate the require_previous_session config option. Setting it has no effect anymore
Add LogoutRouteLoader

6.3

Deprecate enabling bundle and not configuring it
Add _stateless attribute to the request when firewall is stateless and the attribute is not already set
Add StatelessAuthenticatorFactoryInterface for authenticators targeting stateless firewalls only and that don't require a user provider
Modify "icon.svg" to improve accessibility for blind/low vision users
Make Security::login() return the authenticator response
Deprecate the security.firewalls.logout.csrf_token_generator config option, use security.firewalls.logout.csrf_token_manager instead
Make firewalls event dispatcher traceable on debug mode
Add TokenHandlerFactoryInterface, OidcUserInfoTokenHandlerFactory, OidcTokenHandlerFactory and ServiceTokenHandlerFactory for AccessTokenFactory

6.2

Add the Security helper class
Deprecate the Symfony\Component\Security\Core\Security service alias, use Symfony\Bundle\SecurityBundle\Security instead
Add Security::getFirewallConfig() to help to get the firewall configuration associated to the Request
Add Security::login() to login programmatically
Add Security::logout() to logout programmatically
Add security.firewalls.logout.enable_csrf to enable CSRF protection using the default CSRF token generator
Add RFC6750 Access Token support to allow token-based authentication
Add security.firewalls.switch_user.target_route option to configure redirect target route on switch user
Deprecate the security.enable_authenticator_manager config option

6.1

The security.access_control now accepts a RequestMatcherInterface under the request_matcher option as scope configuration
The security.access_control now accepts an attributes array to match request attributes in the RequestMatcher
The security.access_control now accepts a route option to match request route in the RequestMatcher
Display the inherited roles of the logged-in user in the Web Debug Toolbar

6.0

The security.authorization_checker and security.token_storage services are now private
Remove UserPasswordEncoderCommand class and the corresponding user:encode-password command, use UserPasswordHashCommand and user:hash-password instead
Remove the security.encoder_factory.generic service, the security.encoder_factory and Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface aliases, use security.password_hasher_factory and Symfony\Component\PasswordHasher\Hasher\PasswordHasherFactoryInterface instead
Remove the security.user_password_encoder.generic service, the security.password_encoder and the Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface aliases, use security.user_password_hasher, security.password_hasher and Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface instead
Remove the logout.success_handler and logout.handlers config options, register a listener on the LogoutEvent event instead
Remove FirewallConfig::getListeners(), use FirewallConfig::getAuthenticators() instead

5.4

Deprecate FirewallConfig::getListeners(), use FirewallConfig::getAuthenticators() instead
Deprecate security.authentication.basic_entry_point and security.authentication.retry_entry_point services, the logic is moved into the HttpBasicAuthenticator and ChannelListener respectively
Deprecate FirewallConfig::allowsAnonymous() and the allows_anonymous from the data collector data, there will be no anonymous concept as of version 6.
Deprecate not setting $authenticatorManagerEnabled to true in SecurityDataCollector and DebugFirewallCommand
Deprecate SecurityFactoryInterface and SecurityExtension::addSecurityListenerFactory() in favor of AuthenticatorFactoryInterface and SecurityExtension::addAuthenticatorFactory()
Add AuthenticatorFactoryInterface::getPriority() which replaces SecurityFactoryInterface::getPosition()
Deprecate passing an array of arrays as 1st argument to MainConfiguration, pass a sorted flat array of factories instead.
Deprecate the always_authenticate_before_granting option
Display the roles of the logged-in user in the Web Debug Toolbar
Add the security.access_decision_manager.strategy_service option
Deprecate not configuring explicitly a provider for custom_authenticators when there is more than one registered provider

5.3

The authenticator system is no longer experimental
Login Link functionality is no longer experimental
Add required_badges firewall config option
[BC break] Add login_throttling.lock_factory setting defaulting to null (instead of lock.factory)
Add a login_throttling.interval (in security.firewalls) option to change the default throttling interval.
Add the debug:firewall command.
Deprecate UserPasswordEncoderCommand class and the corresponding user:encode-password command, use UserPasswordHashCommand and user:hash-password instead
Deprecate the security.encoder_factory.generic service, the security.encoder_factory and Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface aliases, use security.password_hasher_factory and Symfony\Component\PasswordHasher\Hasher\PasswordHasherFactoryInterface instead
Deprecate the security.user_password_encoder.generic service, the security.password_encoder and the Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface aliases, use security.user_password_hasher, security.password_hasher and Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface instead
Deprecate the public security.authorization_checker and security.token_storage services to private
Not setting the enable_authenticator_manager config option to true is deprecated
Deprecate the security.authentication.provider.* services, use the new authenticator system instead
Deprecate the security.authentication.listener.* services, use the new authenticator system instead
Deprecate the Guard component integration, use the new authenticator system instead
Add form_login.form_only option

5.2.0

Added FirewallListenerFactoryInterface, which can be implemented by security factories to add firewall listeners
Added SortFirewallListenersPass to make the execution order of firewall listeners configurable by leveraging Symfony\Component\Security\Http\Firewall\FirewallListenerInterface
Added ability to use comma separated ip address list for security.access_control
[BC break] Removed EntryPointFactoryInterface, authenticators must now implement AuthenticationEntryPointInterface if they require autoregistration of a Security entry point.

5.1.0

Added XSD for configuration
Added security configuration for priority-based access decision strategy
Marked the AnonymousFactory, FormLoginFactory, FormLoginLdapFactory, GuardAuthenticationFactory, HttpBasicFactory, HttpBasicLdapFactory, JsonLoginFactory, JsonLoginLdapFactory, RememberMeFactory, RemoteUserFactory and X509Factory as @internal
Renamed method AbstractFactory#createEntryPoint() to AbstractFactory#createDefaultEntryPoint()

5.0.0

The switch_user.stateless firewall option has been removed.
Removed the ability to configure encoders using argon2i or bcrypt as algorithm, use auto instead
The simple_form and simple_preauth authentication listeners have been removed, use Guard instead.
The SimpleFormFactory and SimplePreAuthenticationFactory classes have been removed, use Guard instead.
Removed LogoutUrlHelper and SecurityHelper templating helpers, use Twig instead
Removed the logout_on_user_change firewall option
Removed the threads encoder option
Removed the security.authentication.trust_resolver.anonymous_class parameter
Removed the security.authentication.trust_resolver.rememberme_class parameter
Removed the security.user.provider.in_memory.user service.

4.4.0

Added anonymous: lazy mode to firewalls to make them (not) start the session as late as possible
Added migrate_from option to encoders configuration.
Added new argon2id encoder, undeprecated the bcrypt and argon2i ones (using auto is still recommended by default.)
Deprecated the usage of "query_string" without a "search_dn" and a "search_password" config key in Ldap factories.
Marked the SecurityDataCollector class as @final.

4.3.0

Added new encoder types: auto (recommended), native and sodium
The normalization of the cookie names configured in the logout.delete_cookies option is deprecated and will be disabled in Symfony 5.0. This affects to cookies with dashes in their names. For example, starting from Symfony 5.0, the my-cookie name will delete my-cookie (with a dash) instead of my_cookie (with an underscore).

4.2.0

Using the security.authentication.trust_resolver.anonymous_class and security.authentication.trust_resolver.rememberme_class parameters to define the token classes is deprecated. To use custom tokens extend the existing Symfony\Component\Security\Core\Authentication\Token\AnonymousToken. or Symfony\Component\Security\Core\Authentication\Token\RememberMeToken.
Added Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\AddExpressionLanguageProvidersPass
Added json_login_ldap authentication provider to use LDAP authentication with a REST API.
Made remember-me cookies inherit their default config from framework.session.cookie_* and added an "auto" mode to their "secure" config option to make them secure on HTTPS automatically.
Deprecated the simple_form and simple_preauth authentication listeners, use Guard instead.
Deprecated the SimpleFormFactory and SimplePreAuthenticationFactory classes, use Guard instead.
Added port in access_control
Added individual voter decisions to the profiler

4.1.0

The switch_user.stateless firewall option is deprecated, use the stateless option instead.
The logout_on_user_change firewall option is deprecated.
deprecated SecurityUserValueResolver, use Symfony\Component\Security\Http\Controller\UserValueResolver instead.

4.0.0

removed FirewallContext::getContext()
made FirewallMap::$container and ::$map private
made the first UserPasswordEncoderCommand::_construct() argument mandatory
UserPasswordEncoderCommand does not extend ContainerAwareCommand anymore
removed support for voters that don't implement the VoterInterface
removed HTTP digest authentication
removed command acl:set along with SetAclCommand class
removed command init:acl along with InitAclCommand class
removed acl configuration key and related services, use symfony/acl-bundle instead
removed auto picking the first registered provider when no configured provider on a firewall and ambiguous
the firewall option logout_on_user_change is now always true, which will trigger a logout if the user changes between requests
the switch_user.stateless firewall option is true for stateless firewalls

3.4.0

Added new security.helper service that is an instance of Symfony\Component\Security\Core\Security and provides shortcuts for common security tasks.
Tagging voters with the security.voter tag without implementing the VoterInterface on the class is now deprecated and will be removed in 4.0.
[BC BREAK] FirewallContext::getListeners() now returns \Traversable|array
added info about called security listeners in profiler
Added logout_on_user_change to the firewall options. This config item will trigger a logout when the user has changed. Should be set to true to avoid deprecations in the configuration.
deprecated HTTP digest authentication
deprecated command acl:set along with SetAclCommand class
deprecated command init:acl along with InitAclCommand class
Added support for the new Argon2i password encoder
added stateless option to the switch_user listener
deprecated auto picking the first registered provider when no configured provider on a firewall and ambiguous

3.3.0

Deprecated instantiating UserPasswordEncoderCommand without its constructor arguments fully provided.
Deprecated UserPasswordEncoderCommand::getContainer() and relying on the ContainerAwareCommand sub class or ContainerAwareInterface implementation for this command.
Deprecated the FirewallMap::$map and $container properties.
[BC BREAK] Keys of the users node for in_memory user provider are no longer normalized.
deprecated FirewallContext::getListeners()

3.2.0

Added the SecurityUserValueResolver to inject the security users in actions via Symfony\Component\Security\Core\User\UserInterface in the method signature.

3.0.0

Removed the security.context service.

2.8.0

deprecated the key setting of anonymous, remember_me and http_digest in favor of the secret setting.
deprecated the intention firewall listener setting in favor of the csrf_token_id.

2.6.0

Added the possibility to override the default success/failure handler to get the provider key and the options injected
Deprecated the security.context service for the security.token_storage and security.authorization_checker services.

2.4.0

Added 'host' option to firewall configuration
Added 'csrf_token_generator' and 'csrf_token_id' options to firewall logout listener configuration to supersede/alias 'csrf_provider' and 'intention' respectively
Moved 'security.secure_random' service configuration to FrameworkBundle

2.3.0

allowed for multiple IP address in security access_control rules

2.2.0

Added PBKDF2 Password encoder
Added BCrypt password encoder

2.1.0

[BC BREAK] The custom factories for the firewall configuration are now registered during the build method of bundles instead of being registered by the end-user (you need to remove the 'factories' keys in your security configuration).
[BC BREAK] The Firewall listener is now registered after the Router one. This means that specific Firewall URLs (like /login_check and /logout must now have proper route defined in your routing configuration)

[BC BREAK] refactored the user provider configuration. The configuration changed for the chain provider and the memory provider:

Before:

security:
    providers:
        my_chain_provider:
            providers: [my_memory_provider, my_doctrine_provider]
        my_memory_provider:
            users:
                toto: { password: foobar, roles: [ROLE_USER] }
                foo: { password: bar, roles: [ROLE_USER, ROLE_ADMIN] }

After:

security:
    providers:
        my_chain_provider:
            chain:
                providers: [my_memory_provider, my_doctrine_provider]
        my_memory_provider:
            memory:
                users:
                    toto: { password: foobar, roles: [ROLE_USER] }
                    foo: { password: bar, roles: [ROLE_USER, ROLE_ADMIN] }

[BC BREAK] Method equals was removed from UserInterface to its own new EquatableInterface. The user class can now implement this interface to override the default implementation of users equality test.
added a validator for the user password
added 'erase_credentials' as a configuration key (true by default)
added new events: security.authentication.success and security.authentication.failure fired on authentication success/failure, regardless of authentication method, events are defined in new event class: Symfony\Component\Security\Core\AuthenticationEvents.

Added optional CSRF protection to LogoutListener:

security:
    firewalls:
        default:
            logout:
                path: /logout_path
                target: /
                csrf_parameter: _csrf_token                   # Optional (defaults to "_csrf_token")
                csrf_provider:  security.csrf.token_generator # Required to enable protection
                intention:      logout                        # Optional (defaults to "logout")

If the LogoutListener has CSRF protection enabled but cannot validate a token, then a LogoutException will be thrown.

Added logout_url templating helper and Twig extension, which may be used to generate logout URL's within templates. The security firewall's config key must be specified. If a firewall's logout listener has CSRF protection enabled, a token will be automatically added to the generated URL.

17 KiB Raw Blame History