Require entry_point to be configured with multiple authenticators

Meanwhile, entry_point can now also be set to an authenticator name (instead of
only service IDs), to ease configuration.

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/AbstractFactory.php

@@ -99,7 +99,7 @@ final public function addOption(string $name, $default = null)
      * Subclasses must return the id of a service which implements the
      * AuthenticationProviderInterface.
      *
-     * @return string never null, the id of the authentication provider
+     * @return string never null, the id ofSymfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory the authentication provider
      */
     abstract protected function createAuthProvider(ContainerBuilder $container, string $id, array $config, string $userProviderId);
 

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/HttpBasicFactory.php

@@ -21,7 +21,7 @@
  *
  * @author Fabien Potencier <fabien@symfony.com>
  */
-class HttpBasicFactory implements SecurityFactoryInterface, AuthenticatorFactoryInterface
+class HttpBasicFactory implements SecurityFactoryInterface, AuthenticatorFactoryInterface, EntryPointFactoryInterface
 {
     public function create(ContainerBuilder $container, string $id, array $config, string $userProvider, ?string $defaultEntryPoint)
     {
@@ -77,7 +77,7 @@ public function addConfiguration(NodeDefinition $node)
         ;
     }
 
-    protected function createEntryPoint(ContainerBuilder $container, string $id, array $config, ?string $defaultEntryPoint)
+    public function createEntryPoint(ContainerBuilder $container, string $id, array $config, ?string $defaultEntryPoint): string
     {
         if (null !== $defaultEntryPoint) {
             return $defaultEntryPoint;

src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php

@@ -39,6 +39,7 @@
 use Symfony\Component\Security\Core\User\ChainUserProvider;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 use Symfony\Component\Security\Http\Controller\UserValueResolver;
+use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
 use Twig\Extension\AbstractExtension;
 
 /**
@@ -519,6 +520,7 @@ private function createAuthenticationListeners(ContainerBuilder $container, stri
     {
         $listeners = [];
         $hasListeners = false;
+        $entryPoints = [];
 
         foreach ($this->listenerPositions as $position) {
             foreach ($this->factories[$position] as $factory) {
@@ -542,7 +544,7 @@ private function createAuthenticationListeners(ContainerBuilder $container, stri
                         }
 
                         if ($factory instanceof EntryPointFactoryInterface) {
-                            $defaultEntryPoint = $factory->createEntryPoint($container, $id, $firewall[$key], $defaultEntryPoint);
+                            $entryPoints[$key] = $factory->createEntryPoint($container, $id, $firewall[$key], null);
                         }
                     } else {
                         list($provider, $listenerId, $defaultEntryPoint) = $factory->create($container, $id, $firewall[$key], $userProvider, $defaultEntryPoint);
@@ -555,6 +557,19 @@ private function createAuthenticationListeners(ContainerBuilder $container, stri
             }
         }
 
+        if ([] !== $entryPoints) {
+            // we can be sure the authenticator system is enabled
+            if (null !== $defaultEntryPoint) {
+                return $entryPoints[$defaultEntryPoint] ?? $defaultEntryPoint;
+            }
+
+            if (1 === \count($entryPoints)) {
+                return current($entryPoints);
+            }
+
+            throw new InvalidConfigurationException(sprintf('Because you have multiple authenticators in firewall "%s", you need to set the "entry_point" key to one of your authenticators (%s) or a service ID implementing "%s".', $id, implode(', ', $entryPoints), AuthenticationEntryPointInterface::class));
+        }
+
         if (false === $hasListeners) {
             throw new InvalidConfigurationException(sprintf('No authentication listener registered for firewall "%s".', $id));
         }