[Security] Post Authentication Listeners

src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php

@@ -263,12 +263,6 @@ private function addFirewallsSection(ArrayNodeDefinition $rootNode, array $facto
                     ->end()
                 ->end()
             ->end()
-            ->arrayNode('anonymous')
-                ->canBeUnset()
-                ->children()
-                    ->scalarNode('secret')->defaultValue(uniqid('', true))->end()
-                ->end()
-            ->end()
             ->arrayNode('switch_user')
                 ->canBeUnset()
                 ->children()

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/AnonymousAuthenticationFactory.php

@@ -0,0 +1,59 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory;
+
+use Symfony\Component\Config\Definition\Builder\NodeDefinition;
+use Symfony\Component\DependencyInjection\ChildDefinition;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+
+/**
+ * @author John Kleijn <john@kleijnweb.nl>
+ */
+class AnonymousAuthenticationFactory implements SecurityFactoryInterface
+{
+    public function getPosition()
+    {
+        return 'anon';
+    }
+
+    public function getKey()
+    {
+        return 'anonymous';
+    }
+
+    public function addConfiguration(NodeDefinition $node)
+    {
+        $node
+            ->children()
+            ->scalarNode('secret')->defaultValue(uniqid('', true))->end()
+            ->end()
+            ->end()
+        ;
+    }
+
+    public function create(ContainerBuilder $container, $id, $config, $userProvider, $defaultEntryPoint)
+    {
+        $listenerId = 'security.authentication.listener.anonymous.'.$id;
+        $container
+            ->setDefinition($listenerId, new ChildDefinition('security.authentication.listener.anonymous'))
+            ->replaceArgument(1, $config['secret'])
+        ;
+
+        $providerId = 'security.authentication.provider.anonymous.'.$id;
+        $container
+            ->setDefinition($providerId, new ChildDefinition('security.authentication.provider.anonymous'))
+            ->replaceArgument(0, $config['secret'])
+        ;
+
+        return array($providerId, $listenerId, null);
+    }
+}

src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php

@@ -38,7 +38,7 @@ class SecurityExtension extends Extension
     private $requestMatchers = array();
     private $expressions = array();
     private $contextListeners = array();
-    private $listenerPositions = array('pre_auth', 'form', 'http', 'remember_me');
+    private $listenerPositions = array('pre_auth', 'form', 'http', 'remember_me', 'anon', 'post_authentication');
     private $factories = array();
     private $userProviderFactories = array();
     private $expressionLanguage;
@@ -429,10 +429,6 @@ private function createFirewall(ContainerBuilder $container, $id, $firewall, &$a
             }
         }
 
-        if (isset($firewall['anonymous'])) {
-            $listenerKeys[] = 'anonymous';
-        }
-
         $config->replaceArgument(10, $listenerKeys);
 
         return array($matcher, $listeners, $exceptionListener);
@@ -454,45 +450,31 @@ private function createContextListener($container, $contextKey)
     private function createAuthenticationListeners($container, $id, $firewall, &$authenticationProviders, $defaultProvider, $defaultEntryPoint)
     {
         $listeners = array();
-        $hasListeners = false;
-
+        $hasAuthenticationProvider = false;
         foreach ($this->listenerPositions as $position) {
             foreach ($this->factories[$position] as $factory) {
                 $key = str_replace('-', '_', $factory->getKey());
 
                 if (isset($firewall[$key])) {
                     $userProvider = isset($firewall[$key]['provider']) ? $this->getUserProviderId($firewall[$key]['provider']) : $defaultProvider;
 
-                    list($provider, $listenerId, $defaultEntryPoint) = $factory->create($container, $id, $firewall[$key], $userProvider, $defaultEntryPoint);
+                    list($authenticationProvider, $listenerId, $entryPoint) = $factory->create($container, $id, $firewall[$key], $userProvider, $defaultEntryPoint);
+
+                    if ($entryPoint !== null) {
+                        $defaultEntryPoint = $entryPoint;
+                    }
 
                     $listeners[] = new Reference($listenerId);
-                    $authenticationProviders[] = $provider;
-                    $hasListeners = true;
+
+                    if ($authenticationProvider !== null) {
+                        $hasAuthenticationProvider = true;
+                        $authenticationProviders[] = $authenticationProvider;
+                    }
                 }
             }
         }
 
-        // Anonymous
-        if (isset($firewall['anonymous'])) {
-            $listenerId = 'security.authentication.listener.anonymous.'.$id;
-            $container
-                ->setDefinition($listenerId, new ChildDefinition('security.authentication.listener.anonymous'))
-                ->replaceArgument(1, $firewall['anonymous']['secret'])
-            ;
-
-            $listeners[] = new Reference($listenerId);
-
-            $providerId = 'security.authentication.provider.anonymous.'.$id;
-            $container
-                ->setDefinition($providerId, new ChildDefinition('security.authentication.provider.anonymous'))
-                ->replaceArgument(0, $firewall['anonymous']['secret'])
-            ;
-
-            $authenticationProviders[] = $providerId;
-            $hasListeners = true;
-        }
-
-        if (false === $hasListeners) {
+        if (false === $hasAuthenticationProvider) {
             throw new InvalidConfigurationException(sprintf('No authentication listener registered for firewall "%s".', $id));
         }
 

src/Symfony/Bundle/SecurityBundle/SecurityBundle.php

@@ -28,6 +28,7 @@
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\UserProvider\InMemoryFactory;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\GuardAuthenticationFactory;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\UserProvider\LdapFactory;
+use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\AnonymousAuthenticationFactory;
 
 /**
  * Bundle.
@@ -53,6 +54,7 @@ public function build(ContainerBuilder $container)
         $extension->addSecurityListenerFactory(new SimplePreAuthenticationFactory());
         $extension->addSecurityListenerFactory(new SimpleFormFactory());
         $extension->addSecurityListenerFactory(new GuardAuthenticationFactory());
+        $extension->addSecurityListenerFactory(new AnonymousAuthenticationFactory());
 
         $extension->addUserProviderFactory(new InMemoryFactory());
         $extension->addUserProviderFactory(new LdapFactory());

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/Factory/SomePostAuthenticationFactory.php

@@ -0,0 +1,47 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\Tests\DependencyInjection\Fixtures\Factory;
+
+use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SecurityFactoryInterface;
+use Symfony\Component\Config\Definition\Builder\NodeDefinition;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\DependencyInjection\Definition;
+
+/**
+ * @author John Kleijn <john@kleijnweb.nl>
+ */
+class SomePostAuthenticationFactory implements SecurityFactoryInterface
+{
+    const DUMMY_ID = 'security.authentication.listener.some_dummy_post_authentication_plugin';
+
+    public function getPosition()
+    {
+        return 'post_authentication';
+    }
+
+    public function getKey()
+    {
+        return 'some_post_authentication_plugin';
+    }
+
+    public function addConfiguration(NodeDefinition $node)
+    {
+        //NOOP
+    }
+
+    public function create(ContainerBuilder $container, $id, $config, $userProvider, $defaultEntryPoint)
+    {
+        $container->setDefinition(self::DUMMY_ID, new Definition('\stdClass'));
+
+        return array(null, self::DUMMY_ID, null);
+    }
+}

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/SecurityExtensionTest.php

@@ -12,8 +12,10 @@
 namespace Symfony\Bundle\SecurityBundle\Tests\DependencyInjection;
 
 use PHPUnit\Framework\TestCase;
+use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SecurityFactoryInterface;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\SecurityExtension;
 use Symfony\Bundle\SecurityBundle\SecurityBundle;
+use Symfony\Bundle\SecurityBundle\Tests\DependencyInjection\Fixtures\Factory\SomePostAuthenticationFactory;
 use Symfony\Bundle\SecurityBundle\Tests\DependencyInjection\Fixtures\UserProvider\DummyProvider;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 
@@ -119,7 +121,34 @@ public function testDisableRoleHierarchyVoter()
         $this->assertFalse($container->hasDefinition('security.access.role_hierarchy_voter'));
     }
 
-    protected function getRawContainer()
+    public function testAddPostAuthenticationFirewallListener()
+    {
+        $container = $this->getRawContainer(array(new SomePostAuthenticationFactory()));
+
+        $container->loadFromExtension('security', array(
+            'providers' => array(
+                'default' => array('id' => 'foo'),
+            ),
+
+            'firewalls' => array(
+                'some_firewall' => array(
+                    'anonymous' => null,
+                    'some_post_authentication_plugin' => null,
+                ),
+            ),
+        ));
+
+        $container->compile();
+
+        $this->assertTrue($container->hasDefinition(SomePostAuthenticationFactory::DUMMY_ID));
+    }
+
+    /**
+     * @param SecurityFactoryInterface[] $factories
+     *
+     * @return ContainerBuilder
+     */
+    protected function getRawContainer(array $factories = array())
     {
         $container = new ContainerBuilder();
         $security = new SecurityExtension();
@@ -128,6 +157,10 @@ protected function getRawContainer()
         $bundle = new SecurityBundle();
         $bundle->build($container);
 
+        foreach ($factories as $factory) {
+            $security->addSecurityListenerFactory($factory);
+        }
+
         $container->getCompilerPassConfig()->setOptimizationPasses(array());
         $container->getCompilerPassConfig()->setRemovingPasses(array());
 

src/Symfony/Bundle/SecurityBundle/Tests/Functional/Bundle/FirewallPostAuthenticationBundle/Controller/SecureController.php

@@ -0,0 +1,27 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\FirewallPostAuthenticationBundle\Controller;
+
+use Symfony\Component\HttpFoundation\Response;
+
+/**
+ * @author John Kleijn <john@kleijnweb.nl>
+ */
+class SecureController
+{
+    const CONTENT = 'CUSTOM AUTHORIZED CONTENT';
+
+    public function indexAction()
+    {
+        return new Response(self::CONTENT);
+    }
+}

src/Symfony/Bundle/SecurityBundle/Tests/Functional/Bundle/FirewallPostAuthenticationBundle/DependencyInjection/Factory/CustomAccessFactory.php

@@ -0,0 +1,52 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\FirewallPostAuthenticationBundle\DependencyInjection\Factory;
+
+use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SecurityFactoryInterface;
+use Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\FirewallPostAuthenticationBundle\Security\CustomAccessListener;
+use Symfony\Component\Config\Definition\Builder\NodeDefinition;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\DependencyInjection\Definition;
+use Symfony\Component\DependencyInjection\Reference;
+
+/**
+ * @author John Kleijn <john@kleijnweb.nl>
+ */
+class CustomAccessFactory implements SecurityFactoryInterface
+{
+    const ID = 'security.authentication.listener.some_dummy_post_authentication_plugin';
+
+    public function getPosition()
+    {
+        return 'post_authentication';
+    }
+
+    public function getKey()
+    {
+        return 'custom_access';
+    }
+
+    public function addConfiguration(NodeDefinition $node)
+    {
+        //NOOP
+    }
+
+    public function create(ContainerBuilder $container, $id, $config, $userProvider, $defaultEntryPoint)
+    {
+        $definition = new Definition(CustomAccessListener::class);
+        $definition->addArgument(new Reference('security.token_storage'));
+        $definition->setPublic(false);
+        $container->setDefinition(self::ID, $definition);
+
+        return array(null, self::ID, null);
+    }
+}

src/Symfony/Bundle/SecurityBundle/Tests/Functional/Bundle/FirewallPostAuthenticationBundle/FirewallPostAuthenticationBundle.php

@@ -0,0 +1,32 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\FirewallPostAuthenticationBundle;
+
+use Symfony\Bundle\SecurityBundle\DependencyInjection\SecurityExtension;
+use Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\FirewallPostAuthenticationBundle\DependencyInjection\Factory\CustomAccessFactory;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\HttpKernel\Bundle\Bundle;
+
+/**
+ * @author John Kleijn <john@kleijnweb.nl>
+ */
+class FirewallPostAuthenticationBundle extends Bundle
+{
+    public function build(ContainerBuilder $container)
+    {
+        parent::build($container);
+
+        /** @var SecurityExtension $extension */
+        $extension = $container->getExtension('security');
+        $extension->addSecurityListenerFactory(new CustomAccessFactory());
+    }
+}