CHANGELOG ========= 7.1 --- * Mark class `ExpressionCacheWarmer` as `final` * Support multiple signature algorithms for OIDC Token * Support JWK or JWKSet for OIDC Token 7.0 --- * Enabling SecurityBundle and not configuring it is not allowed * Remove the `enable_authenticator_manager` config option * Remove the `security.firewalls.logout.csrf_token_generator` config option, use `security.firewalls.logout.csrf_token_manager` instead * Remove the `require_previous_session` config option from authenticators 6.4 --- * Deprecate `Security::ACCESS_DENIED_ERROR`, `AUTHENTICATION_ERROR` and `LAST_USERNAME` constants, use the ones on `SecurityRequestAttributes` instead * Allow an array of `pattern` in firewall configuration * Add `$badges` argument to `Security::login` * Deprecate the `require_previous_session` config option. Setting it has no effect anymore * Add `LogoutRouteLoader` 6.3 --- * Deprecate enabling bundle and not configuring it * Add `_stateless` attribute to the request when firewall is stateless and the attribute is not already set * Add `StatelessAuthenticatorFactoryInterface` for authenticators targeting `stateless` firewalls only and that don't require a user provider * Modify "icon.svg" to improve accessibility for blind/low vision users * Make `Security::login()` return the authenticator response * Deprecate the `security.firewalls.logout.csrf_token_generator` config option, use `security.firewalls.logout.csrf_token_manager` instead * Make firewalls event dispatcher traceable on debug mode * Add `TokenHandlerFactoryInterface`, `OidcUserInfoTokenHandlerFactory`, `OidcTokenHandlerFactory` and `ServiceTokenHandlerFactory` for `AccessTokenFactory` 6.2 --- * Add the `Security` helper class * Deprecate the `Symfony\Component\Security\Core\Security` service alias, use `Symfony\Bundle\SecurityBundle\Security` instead * Add `Security::getFirewallConfig()` to help to get the firewall configuration associated to the Request * Add `Security::login()` to login programmatically * Add `Security::logout()` to logout programmatically * Add `security.firewalls.logout.enable_csrf` to enable CSRF protection using the default CSRF token generator * Add RFC6750 Access Token support to allow token-based authentication * Add `security.firewalls.switch_user.target_route` option to configure redirect target route on switch user * Deprecate the `security.enable_authenticator_manager` config option 6.1 --- * The `security.access_control` now accepts a `RequestMatcherInterface` under the `request_matcher` option as scope configuration * The `security.access_control` now accepts an `attributes` array to match request attributes in the `RequestMatcher` * The `security.access_control` now accepts a `route` option to match request route in the `RequestMatcher` * Display the inherited roles of the logged-in user in the Web Debug Toolbar 6.0 --- * The `security.authorization_checker` and `security.token_storage` services are now private * Remove `UserPasswordEncoderCommand` class and the corresponding `user:encode-password` command, use `UserPasswordHashCommand` and `user:hash-password` instead * Remove the `security.encoder_factory.generic` service, the `security.encoder_factory` and `Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface` aliases, use `security.password_hasher_factory` and `Symfony\Component\PasswordHasher\Hasher\PasswordHasherFactoryInterface` instead * Remove the `security.user_password_encoder.generic` service, the `security.password_encoder` and the `Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface` aliases, use `security.user_password_hasher`, `security.password_hasher` and `Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface` instead * Remove the `logout.success_handler` and `logout.handlers` config options, register a listener on the `LogoutEvent` event instead * Remove `FirewallConfig::getListeners()`, use `FirewallConfig::getAuthenticators()` instead 5.4 --- * Deprecate `FirewallConfig::getListeners()`, use `FirewallConfig::getAuthenticators()` instead * Deprecate `security.authentication.basic_entry_point` and `security.authentication.retry_entry_point` services, the logic is moved into the `HttpBasicAuthenticator` and `ChannelListener` respectively * Deprecate `FirewallConfig::allowsAnonymous()` and the `allows_anonymous` from the data collector data, there will be no anonymous concept as of version 6. * Deprecate not setting `$authenticatorManagerEnabled` to `true` in `SecurityDataCollector` and `DebugFirewallCommand` * Deprecate `SecurityFactoryInterface` and `SecurityExtension::addSecurityListenerFactory()` in favor of `AuthenticatorFactoryInterface` and `SecurityExtension::addAuthenticatorFactory()` * Add `AuthenticatorFactoryInterface::getPriority()` which replaces `SecurityFactoryInterface::getPosition()` * Deprecate passing an array of arrays as 1st argument to `MainConfiguration`, pass a sorted flat array of factories instead. * Deprecate the `always_authenticate_before_granting` option * Display the roles of the logged-in user in the Web Debug Toolbar * Add the `security.access_decision_manager.strategy_service` option * Deprecate not configuring explicitly a provider for custom_authenticators when there is more than one registered provider 5.3 --- * The authenticator system is no longer experimental * Login Link functionality is no longer experimental * Add `required_badges` firewall config option * [BC break] Add `login_throttling.lock_factory` setting defaulting to `null` (instead of `lock.factory`) * Add a `login_throttling.interval` (in `security.firewalls`) option to change the default throttling interval. * Add the `debug:firewall` command. * Deprecate `UserPasswordEncoderCommand` class and the corresponding `user:encode-password` command, use `UserPasswordHashCommand` and `user:hash-password` instead * Deprecate the `security.encoder_factory.generic` service, the `security.encoder_factory` and `Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface` aliases, use `security.password_hasher_factory` and `Symfony\Component\PasswordHasher\Hasher\PasswordHasherFactoryInterface` instead * Deprecate the `security.user_password_encoder.generic` service, the `security.password_encoder` and the `Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface` aliases, use `security.user_password_hasher`, `security.password_hasher` and `Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface` instead * Deprecate the public `security.authorization_checker` and `security.token_storage` services to private * Not setting the `enable_authenticator_manager` config option to `true` is deprecated * Deprecate the `security.authentication.provider.*` services, use the new authenticator system instead * Deprecate the `security.authentication.listener.*` services, use the new authenticator system instead * Deprecate the Guard component integration, use the new authenticator system instead * Add `form_login.form_only` option 5.2.0 ----- * Added `FirewallListenerFactoryInterface`, which can be implemented by security factories to add firewall listeners * Added `SortFirewallListenersPass` to make the execution order of firewall listeners configurable by leveraging `Symfony\Component\Security\Http\Firewall\FirewallListenerInterface` * Added ability to use comma separated ip address list for `security.access_control` * [BC break] Removed `EntryPointFactoryInterface`, authenticators must now implement `AuthenticationEntryPointInterface` if they require autoregistration of a Security entry point. 5.1.0 ----- * Added XSD for configuration * Added security configuration for priority-based access decision strategy * Marked the `AnonymousFactory`, `FormLoginFactory`, `FormLoginLdapFactory`, `GuardAuthenticationFactory`, `HttpBasicFactory`, `HttpBasicLdapFactory`, `JsonLoginFactory`, `JsonLoginLdapFactory`, `RememberMeFactory`, `RemoteUserFactory` and `X509Factory` as `@internal` * Renamed method `AbstractFactory#createEntryPoint()` to `AbstractFactory#createDefaultEntryPoint()` 5.0.0 ----- * The `switch_user.stateless` firewall option has been removed. * Removed the ability to configure encoders using `argon2i` or `bcrypt` as algorithm, use `auto` instead * The `simple_form` and `simple_preauth` authentication listeners have been removed, use Guard instead. * The `SimpleFormFactory` and `SimplePreAuthenticationFactory` classes have been removed, use Guard instead. * Removed `LogoutUrlHelper` and `SecurityHelper` templating helpers, use Twig instead * Removed the `logout_on_user_change` firewall option * Removed the `threads` encoder option * Removed the `security.authentication.trust_resolver.anonymous_class` parameter * Removed the `security.authentication.trust_resolver.rememberme_class` parameter * Removed the `security.user.provider.in_memory.user` service. 4.4.0 ----- * Added `anonymous: lazy` mode to firewalls to make them (not) start the session as late as possible * Added `migrate_from` option to encoders configuration. * Added new `argon2id` encoder, undeprecated the `bcrypt` and `argon2i` ones (using `auto` is still recommended by default.) * Deprecated the usage of "query_string" without a "search_dn" and a "search_password" config key in Ldap factories. * Marked the `SecurityDataCollector` class as `@final`. 4.3.0 ----- * Added new encoder types: `auto` (recommended), `native` and `sodium` * The normalization of the cookie names configured in the `logout.delete_cookies` option is deprecated and will be disabled in Symfony 5.0. This affects to cookies with dashes in their names. For example, starting from Symfony 5.0, the `my-cookie` name will delete `my-cookie` (with a dash) instead of `my_cookie` (with an underscore). 4.2.0 ----- * Using the `security.authentication.trust_resolver.anonymous_class` and `security.authentication.trust_resolver.rememberme_class` parameters to define the token classes is deprecated. To use custom tokens extend the existing `Symfony\Component\Security\Core\Authentication\Token\AnonymousToken`. or `Symfony\Component\Security\Core\Authentication\Token\RememberMeToken`. * Added `Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\AddExpressionLanguageProvidersPass` * Added `json_login_ldap` authentication provider to use LDAP authentication with a REST API. * Made remember-me cookies inherit their default config from `framework.session.cookie_*` and added an "auto" mode to their "secure" config option to make them secure on HTTPS automatically. * Deprecated the `simple_form` and `simple_preauth` authentication listeners, use Guard instead. * Deprecated the `SimpleFormFactory` and `SimplePreAuthenticationFactory` classes, use Guard instead. * Added `port` in access_control * Added individual voter decisions to the profiler 4.1.0 ----- * The `switch_user.stateless` firewall option is deprecated, use the `stateless` option instead. * The `logout_on_user_change` firewall option is deprecated. * deprecated `SecurityUserValueResolver`, use `Symfony\Component\Security\Http\Controller\UserValueResolver` instead. 4.0.0 ----- * removed `FirewallContext::getContext()` * made `FirewallMap::$container` and `::$map` private * made the first `UserPasswordEncoderCommand::_construct()` argument mandatory * `UserPasswordEncoderCommand` does not extend `ContainerAwareCommand` anymore * removed support for voters that don't implement the `VoterInterface` * removed HTTP digest authentication * removed command `acl:set` along with `SetAclCommand` class * removed command `init:acl` along with `InitAclCommand` class * removed `acl` configuration key and related services, use symfony/acl-bundle instead * removed auto picking the first registered provider when no configured provider on a firewall and ambiguous * the firewall option `logout_on_user_change` is now always true, which will trigger a logout if the user changes between requests * the `switch_user.stateless` firewall option is `true` for stateless firewalls 3.4.0 ----- * Added new `security.helper` service that is an instance of `Symfony\Component\Security\Core\Security` and provides shortcuts for common security tasks. * Tagging voters with the `security.voter` tag without implementing the `VoterInterface` on the class is now deprecated and will be removed in 4.0. * [BC BREAK] `FirewallContext::getListeners()` now returns `\Traversable|array` * added info about called security listeners in profiler * Added `logout_on_user_change` to the firewall options. This config item will trigger a logout when the user has changed. Should be set to true to avoid deprecations in the configuration. * deprecated HTTP digest authentication * deprecated command `acl:set` along with `SetAclCommand` class * deprecated command `init:acl` along with `InitAclCommand` class * Added support for the new Argon2i password encoder * added `stateless` option to the `switch_user` listener * deprecated auto picking the first registered provider when no configured provider on a firewall and ambiguous 3.3.0 ----- * Deprecated instantiating `UserPasswordEncoderCommand` without its constructor arguments fully provided. * Deprecated `UserPasswordEncoderCommand::getContainer()` and relying on the `ContainerAwareCommand` sub class or `ContainerAwareInterface` implementation for this command. * Deprecated the `FirewallMap::$map` and `$container` properties. * [BC BREAK] Keys of the `users` node for `in_memory` user provider are no longer normalized. * deprecated `FirewallContext::getListeners()` 3.2.0 ----- * Added the `SecurityUserValueResolver` to inject the security users in actions via `Symfony\Component\Security\Core\User\UserInterface` in the method signature. 3.0.0 ----- * Removed the `security.context` service. 2.8.0 ----- * deprecated the `key` setting of `anonymous`, `remember_me` and `http_digest` in favor of the `secret` setting. * deprecated the `intention` firewall listener setting in favor of the `csrf_token_id`. 2.6.0 ----- * Added the possibility to override the default success/failure handler to get the provider key and the options injected * Deprecated the `security.context` service for the `security.token_storage` and `security.authorization_checker` services. 2.4.0 ----- * Added 'host' option to firewall configuration * Added 'csrf_token_generator' and 'csrf_token_id' options to firewall logout listener configuration to supersede/alias 'csrf_provider' and 'intention' respectively * Moved 'security.secure_random' service configuration to FrameworkBundle 2.3.0 ----- * allowed for multiple IP address in security access_control rules 2.2.0 ----- * Added PBKDF2 Password encoder * Added BCrypt password encoder 2.1.0 ----- * [BC BREAK] The custom factories for the firewall configuration are now registered during the build method of bundles instead of being registered by the end-user (you need to remove the 'factories' keys in your security configuration). * [BC BREAK] The Firewall listener is now registered after the Router one. This means that specific Firewall URLs (like /login_check and /logout must now have proper route defined in your routing configuration) * [BC BREAK] refactored the user provider configuration. The configuration changed for the chain provider and the memory provider: Before: ``` yaml security: providers: my_chain_provider: providers: [my_memory_provider, my_doctrine_provider] my_memory_provider: users: toto: { password: foobar, roles: [ROLE_USER] } foo: { password: bar, roles: [ROLE_USER, ROLE_ADMIN] } ``` After: ``` yaml security: providers: my_chain_provider: chain: providers: [my_memory_provider, my_doctrine_provider] my_memory_provider: memory: users: toto: { password: foobar, roles: [ROLE_USER] } foo: { password: bar, roles: [ROLE_USER, ROLE_ADMIN] } ``` * [BC BREAK] Method `equals` was removed from `UserInterface` to its own new `EquatableInterface`. The user class can now implement this interface to override the default implementation of users equality test. * added a validator for the user password * added 'erase_credentials' as a configuration key (true by default) * added new events: `security.authentication.success` and `security.authentication.failure` fired on authentication success/failure, regardless of authentication method, events are defined in new event class: `Symfony\Component\Security\Core\AuthenticationEvents`. * Added optional CSRF protection to LogoutListener: ``` yaml security: firewalls: default: logout: path: /logout_path target: / csrf_parameter: _csrf_token # Optional (defaults to "_csrf_token") csrf_provider: security.csrf.token_generator # Required to enable protection intention: logout # Optional (defaults to "logout") ``` If the LogoutListener has CSRF protection enabled but cannot validate a token, then a LogoutException will be thrown. * Added `logout_url` templating helper and Twig extension, which may be used to generate logout URL's within templates. The security firewall's config key must be specified. If a firewall's logout listener has CSRF protection enabled, a token will be automatically added to the generated URL.