Fetching contributors…
Cannot retrieve contributors at this time
171 lines (136 sloc) 6.52 KB



  • removed FirewallContext::getContext()
  • made FirewallMap::$container and ::$map private
  • made the first UserPasswordEncoderCommand::_construct() argument mandatory
  • UserPasswordEncoderCommand does not extend ContainerAwareCommand anymore
  • removed support for voters that don't implement the VoterInterface
  • removed HTTP digest authentication
  • removed command acl:set along with SetAclCommand class
  • removed command init:acl along with InitAclCommand class
  • removed acl configuration key and related services, use symfony/acl-bundle instead
  • removed auto picking the first registered provider when no configured provider on a firewall and ambiguous
  • the firewall option logout_on_user_change is now always true, which will trigger a logout if the user changes between requests
  • the switch_user.stateless firewall option is true for stateless firewalls


  • Added new security.helper service that is an instance of Symfony\Component\Security\Core\Security and provides shortcuts for common security tasks.
  • Tagging voters with the security.voter tag without implementing the VoterInterface on the class is now deprecated and will be removed in 4.0.
  • [BC BREAK] FirewallContext::getListeners() now returns \Traversable|array
  • added info about called security listeners in profiler
  • Added logout_on_user_change to the firewall options. This config item will trigger a logout when the user has changed. Should be set to true to avoid deprecations in the configuration.
  • deprecated HTTP digest authentication
  • deprecated command acl:set along with SetAclCommand class
  • deprecated command init:acl along with InitAclCommand class
  • Added support for the new Argon2i password encoder
  • added stateless option to the switch_user listener
  • deprecated auto picking the first registered provider when no configured provider on a firewall and ambiguous


  • Deprecated instantiating UserPasswordEncoderCommand without its constructor arguments fully provided.
  • Deprecated UserPasswordEncoderCommand::getContainer() and relying on the ContainerAwareCommand sub class or ContainerAwareInterface implementation for this command.
  • Deprecated the FirewallMap::$map and $container properties.
  • [BC BREAK] Keys of the users node for in_memory user provider are no longer normalized.
  • deprecated FirewallContext::getListeners()


  • Added the SecurityUserValueResolver to inject the security users in actions via Symfony\Component\Security\Core\User\UserInterface in the method signature.


  • Removed the security.context service.


  • deprecated the key setting of anonymous, remember_me and http_digest in favor of the secret setting.
  • deprecated the intention firewall listener setting in favor of the csrf_token_id.


  • Added the possibility to override the default success/failure handler to get the provider key and the options injected
  • Deprecated the security.context service for the security.token_storage and security.authorization_checker services.


  • Added 'host' option to firewall configuration
  • Added 'csrf_token_generator' and 'csrf_token_id' options to firewall logout listener configuration to supersede/alias 'csrf_provider' and 'intention' respectively
  • Moved 'security.secure_random' service configuration to FrameworkBundle


  • allowed for multiple IP address in security access_control rules


  • Added PBKDF2 Password encoder
  • Added BCrypt password encoder


  • [BC BREAK] The custom factories for the firewall configuration are now registered during the build method of bundles instead of being registered by the end-user (you need to remove the 'factories' keys in your security configuration).

  • [BC BREAK] The Firewall listener is now registered after the Router one. This means that specific Firewall URLs (like /login_check and /logout must now have proper route defined in your routing configuration)

  • [BC BREAK] refactored the user provider configuration. The configuration changed for the chain provider and the memory provider:


                providers: [my_memory_provider, my_doctrine_provider]
                    toto: { password: foobar, roles: [ROLE_USER] }
                    foo: { password: bar, roles: [ROLE_USER, ROLE_ADMIN] }


                    providers: [my_memory_provider, my_doctrine_provider]
                        toto: { password: foobar, roles: [ROLE_USER] }
                        foo: { password: bar, roles: [ROLE_USER, ROLE_ADMIN] }
  • [BC BREAK] Method equals was removed from UserInterface to its own new EquatableInterface. The user class can now implement this interface to override the default implementation of users equality test.

  • added a validator for the user password

  • added 'erase_credentials' as a configuration key (true by default)

  • added new events: security.authentication.success and security.authentication.failure fired on authentication success/failure, regardless of authentication method, events are defined in new event class: Symfony\Component\Security\Core\AuthenticationEvents.

  • Added optional CSRF protection to LogoutListener:

                    path: /logout_path
                    target: /
                    csrf_parameter: _csrf_token                   # Optional (defaults to "_csrf_token")
                    csrf_provider:  security.csrf.token_generator # Required to enable protection
                    intention:      logout                        # Optional (defaults to "logout")

    If the LogoutListener has CSRF protection enabled but cannot validate a token, then a LogoutException will be thrown.

  • Added logout_url templating helper and Twig extension, which may be used to generate logout URL's within templates. The security firewall's config key must be specified. If a firewall's logout listener has CSRF protection enabled, a token will be automatically added to the generated URL.