vendor/symfony/security-http/Firewall/ExceptionListener.php line 83

Open in your IDE?
  1. <?php
  3. /*
  4.  * This file is part of the Symfony package.
  5.  *
  6.  * (c) Fabien Potencier <fabien@symfony.com>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace Symfony\Component\Security\Http\Firewall;
  14. use Psr\Log\LoggerInterface;
  15. use Symfony\Component\EventDispatcher\EventDispatcherInterface;
  16. use Symfony\Component\HttpFoundation\Request;
  17. use Symfony\Component\HttpFoundation\Response;
  18. use Symfony\Component\HttpKernel\Event\GetResponseForExceptionEvent;
  19. use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
  20. use Symfony\Component\HttpKernel\Exception\HttpException;
  21. use Symfony\Component\HttpKernel\HttpKernelInterface;
  22. use Symfony\Component\HttpKernel\KernelEvents;
  23. use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
  24. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  25. use Symfony\Component\Security\Core\Exception\AccessDeniedException;
  26. use Symfony\Component\Security\Core\Exception\AccountStatusException;
  27. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  28. use Symfony\Component\Security\Core\Exception\InsufficientAuthenticationException;
  29. use Symfony\Component\Security\Core\Exception\LazyResponseException;
  30. use Symfony\Component\Security\Core\Exception\LogoutException;
  31. use Symfony\Component\Security\Core\Security;
  32. use Symfony\Component\Security\Http\Authorization\AccessDeniedHandlerInterface;
  33. use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
  34. use Symfony\Component\Security\Http\HttpUtils;
  35. use Symfony\Component\Security\Http\Util\TargetPathTrait;
  37. /**
  38.  * ExceptionListener catches authentication exception and converts them to
  39.  * Response instances.
  40.  *
  41.  * @author Fabien Potencier <fabien@symfony.com>
  42.  *
  43.  * @final since Symfony 4.3, EventDispatcherInterface type-hints will be updated to the interface from symfony/contracts in 5.0
  44.  */
  45. class ExceptionListener
  46. {
  47.     use TargetPathTrait;
  49.     private $tokenStorage;
  50.     private $providerKey;
  51.     private $accessDeniedHandler;
  52.     private $authenticationEntryPoint;
  53.     private $authenticationTrustResolver;
  54.     private $errorPage;
  55.     private $logger;
  56.     private $httpUtils;
  57.     private $stateless;
  59.     public function __construct(TokenStorageInterface $tokenStorageAuthenticationTrustResolverInterface $trustResolverHttpUtils $httpUtilsstring $providerKeyAuthenticationEntryPointInterface $authenticationEntryPoint nullstring $errorPage nullAccessDeniedHandlerInterface $accessDeniedHandler nullLoggerInterface $logger nullbool $stateless false)
  60.     {
  61.         $this->tokenStorage $tokenStorage;
  62.         $this->accessDeniedHandler $accessDeniedHandler;
  63.         $this->httpUtils $httpUtils;
  64.         $this->providerKey $providerKey;
  65.         $this->authenticationEntryPoint $authenticationEntryPoint;
  66.         $this->authenticationTrustResolver $trustResolver;
  67.         $this->errorPage $errorPage;
  68.         $this->logger $logger;
  69.         $this->stateless $stateless;
  70.     }
  72.     /**
  73.      * Registers a onKernelException listener to take care of security exceptions.
  74.      */
  75.     public function register(EventDispatcherInterface $dispatcher)
  76.     {
  77.         $dispatcher->addListener(KernelEvents::EXCEPTION, [$this'onKernelException'], 1);
  78.     }
  80.     /**
  81.      * Unregisters the dispatcher.
  82.      */
  83.     public function unregister(EventDispatcherInterface $dispatcher)
  84.     {
  85.         $dispatcher->removeListener(KernelEvents::EXCEPTION, [$this'onKernelException']);
  86.     }
  88.     /**
  89.      * Handles security related exceptions.
  90.      */
  91.     public function onKernelException(GetResponseForExceptionEvent $event)
  92.     {
  93.         $exception $event->getThrowable();
  94.         do {
  95.             if ($exception instanceof AuthenticationException) {
  96.                 $this->handleAuthenticationException($event$exception);
  98.                 return;
  99.             }
  101.             if ($exception instanceof AccessDeniedException) {
  102.                 $this->handleAccessDeniedException($event$exception);
  104.                 return;
  105.             }
  107.             if ($exception instanceof LazyResponseException) {
  108.                 $event->setResponse($exception->getResponse());
  110.                 return;
  111.             }
  113.             if ($exception instanceof LogoutException) {
  114.                 $this->handleLogoutException($event$exception);
  116.                 return;
  117.             }
  118.         } while (null !== $exception $exception->getPrevious());
  119.     }
  121.     private function handleAuthenticationException(GetResponseForExceptionEvent $eventAuthenticationException $exception): void
  122.     {
  123.         if (null !== $this->logger) {
  124.             $this->logger->info('An AuthenticationException was thrown; redirecting to authentication entry point.', ['exception' => $exception]);
  125.         }
  127.         try {
  128.             $event->setResponse($this->startAuthentication($event->getRequest(), $exception));
  129.             $event->allowCustomResponseCode();
  130.         } catch (\Exception $e) {
  131.             $event->setThrowable($e);
  132.         }
  133.     }
  135.     private function handleAccessDeniedException(GetResponseForExceptionEvent $eventAccessDeniedException $exception)
  136.     {
  137.         $event->setThrowable(new AccessDeniedHttpException($exception->getMessage(), $exception));
  139.         $token $this->tokenStorage->getToken();
  140.         if (!$this->authenticationTrustResolver->isFullFledged($token)) {
  141.             if (null !== $this->logger) {
  142.                 $this->logger->debug('Access denied, the user is not fully authenticated; redirecting to authentication entry point.', ['exception' => $exception]);
  143.             }
  145.             try {
  146.                 $insufficientAuthenticationException = new InsufficientAuthenticationException('Full authentication is required to access this resource.'0$exception);
  147.                 $insufficientAuthenticationException->setToken($token);
  149.                 $event->setResponse($this->startAuthentication($event->getRequest(), $insufficientAuthenticationException));
  150.             } catch (\Exception $e) {
  151.                 $event->setThrowable($e);
  152.             }
  154.             return;
  155.         }
  157.         if (null !== $this->logger) {
  158.             $this->logger->debug('Access denied, the user is neither anonymous, nor remember-me.', ['exception' => $exception]);
  159.         }
  161.         try {
  162.             if (null !== $this->accessDeniedHandler) {
  163.                 $response $this->accessDeniedHandler->handle($event->getRequest(), $exception);
  165.                 if ($response instanceof Response) {
  166.                     $event->setResponse($response);
  167.                 }
  168.             } elseif (null !== $this->errorPage) {
  169.                 $subRequest $this->httpUtils->createRequest($event->getRequest(), $this->errorPage);
  170.                 $subRequest->attributes->set(Security::ACCESS_DENIED_ERROR$exception);
  172.                 $event->setResponse($event->getKernel()->handle($subRequestHttpKernelInterface::SUB_REQUESTtrue));
  173.                 $event->allowCustomResponseCode();
  174.             }
  175.         } catch (\Exception $e) {
  176.             if (null !== $this->logger) {
  177.                 $this->logger->error('An exception was thrown when handling an AccessDeniedException.', ['exception' => $e]);
  178.             }
  180.             $event->setThrowable(new \RuntimeException('Exception thrown when handling an exception.'0$e));
  181.         }
  182.     }
  184.     private function handleLogoutException(GetResponseForExceptionEvent $eventLogoutException $exception): void
  185.     {
  186.         $event->setThrowable(new AccessDeniedHttpException($exception->getMessage(), $exception));
  188.         if (null !== $this->logger) {
  189.             $this->logger->info('A LogoutException was thrown; wrapping with AccessDeniedHttpException', ['exception' => $exception]);
  190.         }
  191.     }
  193.     private function startAuthentication(Request $requestAuthenticationException $authException): Response
  194.     {
  195.         if (null === $this->authenticationEntryPoint) {
  196.             throw new HttpException(Response::HTTP_UNAUTHORIZED$authException->getMessage(), $authException, [], $authException->getCode());
  197.         }
  199.         if (null !== $this->logger) {
  200.             $this->logger->debug('Calling Authentication entry point.');
  201.         }
  203.         if (!$this->stateless) {
  204.             $this->setTargetPath($request);
  205.         }
  207.         if ($authException instanceof AccountStatusException) {
  208.             // remove the security token to prevent infinite redirect loops
  209.             $this->tokenStorage->setToken(null);
  211.             if (null !== $this->logger) {
  212.                 $this->logger->info('The security token was removed due to an AccountStatusException.', ['exception' => $authException]);
  213.             }
  214.         }
  216.         $response $this->authenticationEntryPoint->start($request$authException);
  218.         if (!$response instanceof Response) {
  219.             $given = \is_object($response) ? \get_class($response) : \gettype($response);
  221.             throw new \LogicException(sprintf('The "%s::start()" method must return a Response object ("%s" returned).', \get_class($this->authenticationEntryPoint), $given));
  222.         }
  224.         return $response;
  225.     }
  227.     protected function setTargetPath(Request $request)
  228.     {
  229.         // session isn't required when using HTTP basic authentication mechanism for example
  230.         if ($request->hasSession() && $request->isMethodSafe() && !$request->isXmlHttpRequest()) {
  231.             $this->saveTargetPath($request->getSession(), $this->providerKey$request->getUri());
  232.         }
  233.     }
  234. }