- Mark class
ExpressionCacheWarmer
asfinal
- Support multiple signature algorithms for OIDC Token
- Support JWK or JWKSet for OIDC Token
- Enabling SecurityBundle and not configuring it is not allowed
- Remove the
enable_authenticator_manager
config option - Remove the
security.firewalls.logout.csrf_token_generator
config option, usesecurity.firewalls.logout.csrf_token_manager
instead - Remove the
require_previous_session
config option from authenticators
- Deprecate
Security::ACCESS_DENIED_ERROR
,AUTHENTICATION_ERROR
andLAST_USERNAME
constants, use the ones onSecurityRequestAttributes
instead - Allow an array of
pattern
in firewall configuration - Add
$badges
argument toSecurity::login
- Deprecate the
require_previous_session
config option. Setting it has no effect anymore - Add
LogoutRouteLoader
- Deprecate enabling bundle and not configuring it
- Add
_stateless
attribute to the request when firewall is stateless and the attribute is not already set - Add
StatelessAuthenticatorFactoryInterface
for authenticators targetingstateless
firewalls only and that don't require a user provider - Modify "icon.svg" to improve accessibility for blind/low vision users
- Make
Security::login()
return the authenticator response - Deprecate the
security.firewalls.logout.csrf_token_generator
config option, usesecurity.firewalls.logout.csrf_token_manager
instead - Make firewalls event dispatcher traceable on debug mode
- Add
TokenHandlerFactoryInterface
,OidcUserInfoTokenHandlerFactory
,OidcTokenHandlerFactory
andServiceTokenHandlerFactory
forAccessTokenFactory
- Add the
Security
helper class - Deprecate the
Symfony\Component\Security\Core\Security
service alias, useSymfony\Bundle\SecurityBundle\Security
instead - Add
Security::getFirewallConfig()
to help to get the firewall configuration associated to the Request - Add
Security::login()
to login programmatically - Add
Security::logout()
to logout programmatically - Add
security.firewalls.logout.enable_csrf
to enable CSRF protection using the default CSRF token generator - Add RFC6750 Access Token support to allow token-based authentication
- Add
security.firewalls.switch_user.target_route
option to configure redirect target route on switch user - Deprecate the
security.enable_authenticator_manager
config option
- The
security.access_control
now accepts aRequestMatcherInterface
under therequest_matcher
option as scope configuration - The
security.access_control
now accepts anattributes
array to match request attributes in theRequestMatcher
- The
security.access_control
now accepts aroute
option to match request route in theRequestMatcher
- Display the inherited roles of the logged-in user in the Web Debug Toolbar
- The
security.authorization_checker
andsecurity.token_storage
services are now private - Remove
UserPasswordEncoderCommand
class and the correspondinguser:encode-password
command, useUserPasswordHashCommand
anduser:hash-password
instead - Remove the
security.encoder_factory.generic
service, thesecurity.encoder_factory
andSymfony\Component\Security\Core\Encoder\EncoderFactoryInterface
aliases, usesecurity.password_hasher_factory
andSymfony\Component\PasswordHasher\Hasher\PasswordHasherFactoryInterface
instead - Remove the
security.user_password_encoder.generic
service, thesecurity.password_encoder
and theSymfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface
aliases, usesecurity.user_password_hasher
,security.password_hasher
andSymfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface
instead - Remove the
logout.success_handler
andlogout.handlers
config options, register a listener on theLogoutEvent
event instead - Remove
FirewallConfig::getListeners()
, useFirewallConfig::getAuthenticators()
instead
- Deprecate
FirewallConfig::getListeners()
, useFirewallConfig::getAuthenticators()
instead - Deprecate
security.authentication.basic_entry_point
andsecurity.authentication.retry_entry_point
services, the logic is moved into theHttpBasicAuthenticator
andChannelListener
respectively - Deprecate
FirewallConfig::allowsAnonymous()
and theallows_anonymous
from the data collector data, there will be no anonymous concept as of version 6. - Deprecate not setting
$authenticatorManagerEnabled
totrue
inSecurityDataCollector
andDebugFirewallCommand
- Deprecate
SecurityFactoryInterface
andSecurityExtension::addSecurityListenerFactory()
in favor ofAuthenticatorFactoryInterface
andSecurityExtension::addAuthenticatorFactory()
- Add
AuthenticatorFactoryInterface::getPriority()
which replacesSecurityFactoryInterface::getPosition()
- Deprecate passing an array of arrays as 1st argument to
MainConfiguration
, pass a sorted flat array of factories instead. - Deprecate the
always_authenticate_before_granting
option - Display the roles of the logged-in user in the Web Debug Toolbar
- Add the
security.access_decision_manager.strategy_service
option - Deprecate not configuring explicitly a provider for custom_authenticators when there is more than one registered provider
- The authenticator system is no longer experimental
- Login Link functionality is no longer experimental
- Add
required_badges
firewall config option - [BC break] Add
login_throttling.lock_factory
setting defaulting tonull
(instead oflock.factory
) - Add a
login_throttling.interval
(insecurity.firewalls
) option to change the default throttling interval. - Add the
debug:firewall
command. - Deprecate
UserPasswordEncoderCommand
class and the correspondinguser:encode-password
command, useUserPasswordHashCommand
anduser:hash-password
instead - Deprecate the
security.encoder_factory.generic
service, thesecurity.encoder_factory
andSymfony\Component\Security\Core\Encoder\EncoderFactoryInterface
aliases, usesecurity.password_hasher_factory
andSymfony\Component\PasswordHasher\Hasher\PasswordHasherFactoryInterface
instead - Deprecate the
security.user_password_encoder.generic
service, thesecurity.password_encoder
and theSymfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface
aliases, usesecurity.user_password_hasher
,security.password_hasher
andSymfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface
instead - Deprecate the public
security.authorization_checker
andsecurity.token_storage
services to private - Not setting the
enable_authenticator_manager
config option totrue
is deprecated - Deprecate the
security.authentication.provider.*
services, use the new authenticator system instead - Deprecate the
security.authentication.listener.*
services, use the new authenticator system instead - Deprecate the Guard component integration, use the new authenticator system instead
- Add
form_login.form_only
option
- Added
FirewallListenerFactoryInterface
, which can be implemented by security factories to add firewall listeners - Added
SortFirewallListenersPass
to make the execution order of firewall listeners configurable by leveragingSymfony\Component\Security\Http\Firewall\FirewallListenerInterface
- Added ability to use comma separated ip address list for
security.access_control
- [BC break] Removed
EntryPointFactoryInterface
, authenticators must now implementAuthenticationEntryPointInterface
if they require autoregistration of a Security entry point.
- Added XSD for configuration
- Added security configuration for priority-based access decision strategy
- Marked the
AnonymousFactory
,FormLoginFactory
,FormLoginLdapFactory
,GuardAuthenticationFactory
,HttpBasicFactory
,HttpBasicLdapFactory
,JsonLoginFactory
,JsonLoginLdapFactory
,RememberMeFactory
,RemoteUserFactory
andX509Factory
as@internal
- Renamed method
AbstractFactory#createEntryPoint()
toAbstractFactory#createDefaultEntryPoint()
- The
switch_user.stateless
firewall option has been removed. - Removed the ability to configure encoders using
argon2i
orbcrypt
as algorithm, useauto
instead - The
simple_form
andsimple_preauth
authentication listeners have been removed, use Guard instead. - The
SimpleFormFactory
andSimplePreAuthenticationFactory
classes have been removed, use Guard instead. - Removed
LogoutUrlHelper
andSecurityHelper
templating helpers, use Twig instead - Removed the
logout_on_user_change
firewall option - Removed the
threads
encoder option - Removed the
security.authentication.trust_resolver.anonymous_class
parameter - Removed the
security.authentication.trust_resolver.rememberme_class
parameter - Removed the
security.user.provider.in_memory.user
service.
- Added
anonymous: lazy
mode to firewalls to make them (not) start the session as late as possible - Added
migrate_from
option to encoders configuration. - Added new
argon2id
encoder, undeprecated thebcrypt
andargon2i
ones (usingauto
is still recommended by default.) - Deprecated the usage of "query_string" without a "search_dn" and a "search_password" config key in Ldap factories.
- Marked the
SecurityDataCollector
class as@final
.
- Added new encoder types:
auto
(recommended),native
andsodium
- The normalization of the cookie names configured in the
logout.delete_cookies
option is deprecated and will be disabled in Symfony 5.0. This affects to cookies with dashes in their names. For example, starting from Symfony 5.0, themy-cookie
name will deletemy-cookie
(with a dash) instead ofmy_cookie
(with an underscore).
- Using the
security.authentication.trust_resolver.anonymous_class
andsecurity.authentication.trust_resolver.rememberme_class
parameters to define the token classes is deprecated. To use custom tokens extend the existingSymfony\Component\Security\Core\Authentication\Token\AnonymousToken
. orSymfony\Component\Security\Core\Authentication\Token\RememberMeToken
. - Added
Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\AddExpressionLanguageProvidersPass
- Added
json_login_ldap
authentication provider to use LDAP authentication with a REST API. - Made remember-me cookies inherit their default config from
framework.session.cookie_*
and added an "auto" mode to their "secure" config option to make them secure on HTTPS automatically. - Deprecated the
simple_form
andsimple_preauth
authentication listeners, use Guard instead. - Deprecated the
SimpleFormFactory
andSimplePreAuthenticationFactory
classes, use Guard instead. - Added
port
in access_control - Added individual voter decisions to the profiler
- The
switch_user.stateless
firewall option is deprecated, use thestateless
option instead. - The
logout_on_user_change
firewall option is deprecated. - deprecated
SecurityUserValueResolver
, useSymfony\Component\Security\Http\Controller\UserValueResolver
instead.
- removed
FirewallContext::getContext()
- made
FirewallMap::$container
and::$map
private - made the first
UserPasswordEncoderCommand::_construct()
argument mandatory UserPasswordEncoderCommand
does not extendContainerAwareCommand
anymore- removed support for voters that don't implement the
VoterInterface
- removed HTTP digest authentication
- removed command
acl:set
along withSetAclCommand
class - removed command
init:acl
along withInitAclCommand
class - removed
acl
configuration key and related services, use symfony/acl-bundle instead - removed auto picking the first registered provider when no configured provider on a firewall and ambiguous
- the firewall option
logout_on_user_change
is now always true, which will trigger a logout if the user changes between requests - the
switch_user.stateless
firewall option istrue
for stateless firewalls
- Added new
security.helper
service that is an instance ofSymfony\Component\Security\Core\Security
and provides shortcuts for common security tasks. - Tagging voters with the
security.voter
tag without implementing theVoterInterface
on the class is now deprecated and will be removed in 4.0. - [BC BREAK]
FirewallContext::getListeners()
now returns\Traversable|array
- added info about called security listeners in profiler
- Added
logout_on_user_change
to the firewall options. This config item will trigger a logout when the user has changed. Should be set to true to avoid deprecations in the configuration. - deprecated HTTP digest authentication
- deprecated command
acl:set
along withSetAclCommand
class - deprecated command
init:acl
along withInitAclCommand
class - Added support for the new Argon2i password encoder
- added
stateless
option to theswitch_user
listener - deprecated auto picking the first registered provider when no configured provider on a firewall and ambiguous
- Deprecated instantiating
UserPasswordEncoderCommand
without its constructor arguments fully provided. - Deprecated
UserPasswordEncoderCommand::getContainer()
and relying on theContainerAwareCommand
sub class orContainerAwareInterface
implementation for this command. - Deprecated the
FirewallMap::$map
and$container
properties. - [BC BREAK] Keys of the
users
node forin_memory
user provider are no longer normalized. - deprecated
FirewallContext::getListeners()
- Added the
SecurityUserValueResolver
to inject the security users in actions viaSymfony\Component\Security\Core\User\UserInterface
in the method signature.
- Removed the
security.context
service.
- deprecated the
key
setting ofanonymous
,remember_me
andhttp_digest
in favor of thesecret
setting. - deprecated the
intention
firewall listener setting in favor of thecsrf_token_id
.
- Added the possibility to override the default success/failure handler to get the provider key and the options injected
- Deprecated the
security.context
service for thesecurity.token_storage
andsecurity.authorization_checker
services.
- Added 'host' option to firewall configuration
- Added 'csrf_token_generator' and 'csrf_token_id' options to firewall logout listener configuration to supersede/alias 'csrf_provider' and 'intention' respectively
- Moved 'security.secure_random' service configuration to FrameworkBundle
- allowed for multiple IP address in security access_control rules
- Added PBKDF2 Password encoder
- Added BCrypt password encoder
-
[BC BREAK] The custom factories for the firewall configuration are now registered during the build method of bundles instead of being registered by the end-user (you need to remove the 'factories' keys in your security configuration).
-
[BC BREAK] The Firewall listener is now registered after the Router one. This means that specific Firewall URLs (like /login_check and /logout must now have proper route defined in your routing configuration)
-
[BC BREAK] refactored the user provider configuration. The configuration changed for the chain provider and the memory provider:
Before:
security: providers: my_chain_provider: providers: [my_memory_provider, my_doctrine_provider] my_memory_provider: users: toto: { password: foobar, roles: [ROLE_USER] } foo: { password: bar, roles: [ROLE_USER, ROLE_ADMIN] }
After:
security: providers: my_chain_provider: chain: providers: [my_memory_provider, my_doctrine_provider] my_memory_provider: memory: users: toto: { password: foobar, roles: [ROLE_USER] } foo: { password: bar, roles: [ROLE_USER, ROLE_ADMIN] }
-
[BC BREAK] Method
equals
was removed fromUserInterface
to its own newEquatableInterface
. The user class can now implement this interface to override the default implementation of users equality test. -
added a validator for the user password
-
added 'erase_credentials' as a configuration key (true by default)
-
added new events:
security.authentication.success
andsecurity.authentication.failure
fired on authentication success/failure, regardless of authentication method, events are defined in new event class:Symfony\Component\Security\Core\AuthenticationEvents
. -
Added optional CSRF protection to LogoutListener:
security: firewalls: default: logout: path: /logout_path target: / csrf_parameter: _csrf_token # Optional (defaults to "_csrf_token") csrf_provider: security.csrf.token_generator # Required to enable protection intention: logout # Optional (defaults to "logout")
If the LogoutListener has CSRF protection enabled but cannot validate a token, then a LogoutException will be thrown.
-
Added
logout_url
templating helper and Twig extension, which may be used to generate logout URL's within templates. The security firewall's config key must be specified. If a firewall's logout listener has CSRF protection enabled, a token will be automatically added to the generated URL.