如果 "security.authentication.manager" 服务被弃用,如何替换它?
If "security.authentication.manager" service is deprecated, how to replace it?
我的应用程序(基于 Symfony5 框架)使用了传统的守卫验证器。用户使用传统的登录表单登录。所有这些都是通过制造商包和 make:auth 命令创建的。
我正在试用 5.3.0-RC1,我发现 guard 验证器将被弃用。所以,我正在尝试将我的安全性迁移到 use the new authenticator-based security。但是我在第一步就丢失了我的 csrf 令牌。
这是我的 AppAuthenticator class 扩展新的 AbstractAuthenticator 的核心:
//...
public function authenticate(Request $request): PassportInterface
{
$password = $request->request->get('password');
$email = $request->request->get('email');
$csrfToken = $request->request->get('_csrf_token'); //<========HERE THE CSRF TOKEN IS GOOD !
$request->getSession()->set(
Security::LAST_USERNAME,
$email
);
$userBadge = new UserBadge($email, function ($userIdentifier) {
return $this->userRepository->findOneBy(['email' => $userIdentifier]);
});
return new Passport($userBadge, new PasswordCredentials($password), [
new PasswordUpgradeBadge($password, $this->userRepository),
new CsrfTokenBadge('login', $csrfToken)
]);
}
public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response
{
if ($targetPath = $this->getTargetPath($request->getSession(), $firewallName)) {
return new RedirectResponse($targetPath);
}
return new RedirectResponse($this->urlGenerator->generate(self::DASHBOARD_ROUTE));
}
public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
{
dd($request, $exception); //<==== IN THE REQUEST THE CSRF IS GOOD, IN THE EXCEPTION THE CSRF IS NULL !!!!
return null;
}
似乎请求确实转发了 csrf 令牌(这是请求实例的转储):
AppAuthenticator.php on line 70:
Symfony\Component\HttpFoundation\Request {#5 ▼
+attributes: Symfony\Component\HttpFoundation\ParameterBag {#20 ▶}
+request: Symfony\Component\HttpFoundation\InputBag {#16 ▼
#parameters: array:4 [▼
"email" => "moderator@example.org"
"password" => "test"
"_csrf_token" => "e8695dd50d110ac0631.skdbZJaWOnU3ckQDF_e0k64-RfUo1qcqrcyv0X8_yRo.3g8eE6HjcwFSKyxwfKH_289qB7tM5-tmlZ_Bi00Kmiz3EhYwof4KGE8gKw"
"_remember_me" => "on"
]
}
但是好像在异常中,csrf token为null!!!
AppAuthenticator.php on line 70:
Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException {#924 ▼
-token: null
#message: "Invalid CSRF token."
#code: 0
#file: "/var/www/vendor/symfony/security-http/EventListener/CsrfProtectionListener.php"
#line: 51
我没有发现我的错误,但我猜它来自这些行:
我读到 about passport badge 每个表单和每个请求的 uniq 令牌都有一个唯一 ID:
Symfony\Component\Security\Http\Authenticator\Passport\Badge\CsrfTokenBadge
Automatically validates CSRF tokens for this authenticator during authentication. The constructor requires a token ID (unique per form)
and CSRF token (unique per request). See How to Implement CSRF
Protection.
也许我的错误是在这一行:new CsrfTokenBadge('login', $csrfToken)
但是这个id是什么???我尝试登录,login_form,但没有成功...
它应该匹配您在登录表单 (csrf_token('id')) 中使用的任何 id。由于您最初使用 MakerBundle 生成表单,因此该值应为 authenticate.
我的应用程序(基于 Symfony5 框架)使用了传统的守卫验证器。用户使用传统的登录表单登录。所有这些都是通过制造商包和 make:auth 命令创建的。
我正在试用 5.3.0-RC1,我发现 guard 验证器将被弃用。所以,我正在尝试将我的安全性迁移到 use the new authenticator-based security。但是我在第一步就丢失了我的 csrf 令牌。
这是我的 AppAuthenticator class 扩展新的 AbstractAuthenticator 的核心:
//...
public function authenticate(Request $request): PassportInterface
{
$password = $request->request->get('password');
$email = $request->request->get('email');
$csrfToken = $request->request->get('_csrf_token'); //<========HERE THE CSRF TOKEN IS GOOD !
$request->getSession()->set(
Security::LAST_USERNAME,
$email
);
$userBadge = new UserBadge($email, function ($userIdentifier) {
return $this->userRepository->findOneBy(['email' => $userIdentifier]);
});
return new Passport($userBadge, new PasswordCredentials($password), [
new PasswordUpgradeBadge($password, $this->userRepository),
new CsrfTokenBadge('login', $csrfToken)
]);
}
public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response
{
if ($targetPath = $this->getTargetPath($request->getSession(), $firewallName)) {
return new RedirectResponse($targetPath);
}
return new RedirectResponse($this->urlGenerator->generate(self::DASHBOARD_ROUTE));
}
public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
{
dd($request, $exception); //<==== IN THE REQUEST THE CSRF IS GOOD, IN THE EXCEPTION THE CSRF IS NULL !!!!
return null;
}
似乎请求确实转发了 csrf 令牌(这是请求实例的转储):
AppAuthenticator.php on line 70:
Symfony\Component\HttpFoundation\Request {#5 ▼
+attributes: Symfony\Component\HttpFoundation\ParameterBag {#20 ▶}
+request: Symfony\Component\HttpFoundation\InputBag {#16 ▼
#parameters: array:4 [▼
"email" => "moderator@example.org"
"password" => "test"
"_csrf_token" => "e8695dd50d110ac0631.skdbZJaWOnU3ckQDF_e0k64-RfUo1qcqrcyv0X8_yRo.3g8eE6HjcwFSKyxwfKH_289qB7tM5-tmlZ_Bi00Kmiz3EhYwof4KGE8gKw"
"_remember_me" => "on"
]
}
但是好像在异常中,csrf token为null!!!
AppAuthenticator.php on line 70:
Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException {#924 ▼
-token: null
#message: "Invalid CSRF token."
#code: 0
#file: "/var/www/vendor/symfony/security-http/EventListener/CsrfProtectionListener.php"
#line: 51
我没有发现我的错误,但我猜它来自这些行:
我读到 about passport badge 每个表单和每个请求的 uniq 令牌都有一个唯一 ID:
Symfony\Component\Security\Http\Authenticator\Passport\Badge\CsrfTokenBadge Automatically validates CSRF tokens for this authenticator during authentication. The constructor requires a token ID (unique per form) and CSRF token (unique per request). See How to Implement CSRF Protection.
也许我的错误是在这一行:new CsrfTokenBadge('login', $csrfToken) 但是这个id是什么???我尝试登录,login_form,但没有成功...
它应该匹配您在登录表单 (csrf_token('id')) 中使用的任何 id。由于您最初使用 MakerBundle 生成表单,因此该值应为 authenticate.