CHANGELOG.md 11 KB

CHANGELOG

5.2.0

  • Added FirewallListenerFactoryInterface, which can be implemented by security factories to add firewall listeners
  • Added SortFirewallListenersPass to make the execution order of firewall listeners configurable by leveraging Symfony\Component\Security\Http\Firewall\FirewallListenerInterface
  • Added ability to use comma separated ip address list for security.access_control
  • [BC break] Removed EntryPointFactoryInterface, authenticators must now implement AuthenticationEntryPointInterface if they require autoregistration of a Security entry point.

5.1.0

  • Added XSD for configuration
  • Added security configuration for priority-based access decision strategy
  • Marked the AnonymousFactory, FormLoginFactory, FormLoginLdapFactory, GuardAuthenticationFactory, HttpBasicFactory, HttpBasicLdapFactory, JsonLoginFactory, JsonLoginLdapFactory, RememberMeFactory, RemoteUserFactory and X509Factory as @internal
  • Renamed method AbstractFactory#createEntryPoint() to AbstractFactory#createDefaultEntryPoint()

5.0.0

  • The switch_user.stateless firewall option has been removed.
  • Removed the ability to configure encoders using argon2i or bcrypt as algorithm, use auto instead
  • The simple_form and simple_preauth authentication listeners have been removed, use Guard instead.
  • The SimpleFormFactory and SimplePreAuthenticationFactory classes have been removed, use Guard instead.
  • Removed LogoutUrlHelper and SecurityHelper templating helpers, use Twig instead
  • Removed the logout_on_user_change firewall option
  • Removed the threads encoder option
  • Removed the security.authentication.trust_resolver.anonymous_class parameter
  • Removed the security.authentication.trust_resolver.rememberme_class parameter
  • Removed the security.user.provider.in_memory.user service.

4.4.0

  • Added anonymous: lazy mode to firewalls to make them (not) start the session as late as possible
  • Added migrate_from option to encoders configuration.
  • Added new argon2id encoder, undeprecated the bcrypt and argon2i ones (using auto is still recommended by default.)
  • Deprecated the usage of "query_string" without a "search_dn" and a "search_password" config key in Ldap factories.
  • Marked the SecurityDataCollector class as @final.

4.3.0

  • Added new encoder types: auto (recommended), native and sodium
  • The normalization of the cookie names configured in the logout.delete_cookies option is deprecated and will be disabled in Symfony 5.0. This affects to cookies with dashes in their names. For example, starting from Symfony 5.0, the my-cookie name will delete my-cookie (with a dash) instead of my_cookie (with an underscore).

4.2.0

  • Using the security.authentication.trust_resolver.anonymous_class and security.authentication.trust_resolver.rememberme_class parameters to define the token classes is deprecated. To use custom tokens extend the existing Symfony\Component\Security\Core\Authentication\Token\AnonymousToken. or Symfony\Component\Security\Core\Authentication\Token\RememberMeToken.
  • Added Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler\AddExpressionLanguageProvidersPass
  • Added json_login_ldap authentication provider to use LDAP authentication with a REST API.
  • Made remember-me cookies inherit their default config from framework.session.cookie_* and added an "auto" mode to their "secure" config option to make them secure on HTTPS automatically.
  • Deprecated the simple_form and simple_preauth authentication listeners, use Guard instead.
  • Deprecated the SimpleFormFactory and SimplePreAuthenticationFactory classes, use Guard instead.
  • Added port in access_control
  • Added individual voter decisions to the profiler

4.1.0

  • The switch_user.stateless firewall option is deprecated, use the stateless option instead.
  • The logout_on_user_change firewall option is deprecated.
  • deprecated SecurityUserValueResolver, use Symfony\Component\Security\Http\Controller\UserValueResolver instead.

4.0.0

  • removed FirewallContext::getContext()
  • made FirewallMap::$container and ::$map private
  • made the first UserPasswordEncoderCommand::_construct() argument mandatory
  • UserPasswordEncoderCommand does not extend ContainerAwareCommand anymore
  • removed support for voters that don't implement the VoterInterface
  • removed HTTP digest authentication
  • removed command acl:set along with SetAclCommand class
  • removed command init:acl along with InitAclCommand class
  • removed acl configuration key and related services, use symfony/acl-bundle instead
  • removed auto picking the first registered provider when no configured provider on a firewall and ambiguous
  • the firewall option logout_on_user_change is now always true, which will trigger a logout if the user changes between requests
  • the switch_user.stateless firewall option is true for stateless firewalls

3.4.0

  • Added new security.helper service that is an instance of Symfony\Component\Security\Core\Security and provides shortcuts for common security tasks.
  • Tagging voters with the security.voter tag without implementing the VoterInterface on the class is now deprecated and will be removed in 4.0.
  • [BC BREAK] FirewallContext::getListeners() now returns \Traversable|array
  • added info about called security listeners in profiler
  • Added logout_on_user_change to the firewall options. This config item will trigger a logout when the user has changed. Should be set to true to avoid deprecations in the configuration.
  • deprecated HTTP digest authentication
  • deprecated command acl:set along with SetAclCommand class
  • deprecated command init:acl along with InitAclCommand class
  • Added support for the new Argon2i password encoder
  • added stateless option to the switch_user listener
  • deprecated auto picking the first registered provider when no configured provider on a firewall and ambiguous

3.3.0

  • Deprecated instantiating UserPasswordEncoderCommand without its constructor arguments fully provided.
  • Deprecated UserPasswordEncoderCommand::getContainer() and relying on the ContainerAwareCommand sub class or ContainerAwareInterface implementation for this command.
  • Deprecated the FirewallMap::$map and $container properties.
  • [BC BREAK] Keys of the users node for in_memory user provider are no longer normalized.
  • deprecated FirewallContext::getListeners()

3.2.0

  • Added the SecurityUserValueResolver to inject the security users in actions via Symfony\Component\Security\Core\User\UserInterface in the method signature.

3.0.0

  • Removed the security.context service.

2.8.0

  • deprecated the key setting of anonymous, remember_me and http_digest in favor of the secret setting.
  • deprecated the intention firewall listener setting in favor of the csrf_token_id.

2.6.0

  • Added the possibility to override the default success/failure handler to get the provider key and the options injected
  • Deprecated the security.context service for the security.token_storage and security.authorization_checker services.

2.4.0

  • Added 'host' option to firewall configuration
  • Added 'csrf_token_generator' and 'csrf_token_id' options to firewall logout listener configuration to supersede/alias 'csrf_provider' and 'intention' respectively
  • Moved 'security.secure_random' service configuration to FrameworkBundle

2.3.0

  • allowed for multiple IP address in security access_control rules

2.2.0

  • Added PBKDF2 Password encoder
  • Added BCrypt password encoder

2.1.0

  • [BC BREAK] The custom factories for the firewall configuration are now registered during the build method of bundles instead of being registered by the end-user (you need to remove the 'factories' keys in your security configuration).

  • [BC BREAK] The Firewall listener is now registered after the Router one. This means that specific Firewall URLs (like /login_check and /logout must now have proper route defined in your routing configuration)

  • [BC BREAK] refactored the user provider configuration. The configuration changed for the chain provider and the memory provider:

    Before:

    security:
        providers:
            my_chain_provider:
                providers: [my_memory_provider, my_doctrine_provider]
            my_memory_provider:
                users:
                    toto: { password: foobar, roles: [ROLE_USER] }
                    foo: { password: bar, roles: [ROLE_USER, ROLE_ADMIN] }
    

    After:

    security:
        providers:
            my_chain_provider:
                chain:
                    providers: [my_memory_provider, my_doctrine_provider]
            my_memory_provider:
                memory:
                    users:
                        toto: { password: foobar, roles: [ROLE_USER] }
                        foo: { password: bar, roles: [ROLE_USER, ROLE_ADMIN] }
    
  • [BC BREAK] Method equals was removed from UserInterface to its own new EquatableInterface. The user class can now implement this interface to override the default implementation of users equality test.

  • added a validator for the user password

  • added 'erase_credentials' as a configuration key (true by default)

  • added new events: security.authentication.success and security.authentication.failure fired on authentication success/failure, regardless of authentication method, events are defined in new event class: Symfony\Component\Security\Core\AuthenticationEvents.

  • Added optional CSRF protection to LogoutListener:

    security:
        firewalls:
            default:
                logout:
                    path: /logout_path
                    target: /
                    csrf_parameter: _csrf_token                   # Optional (defaults to "_csrf_token")
                    csrf_provider:  security.csrf.token_generator # Required to enable protection
                    intention:      logout                        # Optional (defaults to "logout")
    

    If the LogoutListener has CSRF protection enabled but cannot validate a token, then a LogoutException will be thrown.

    • Added logout_url templating helper and Twig extension, which may be used to generate logout URL's within templates. The security firewall's config key must be specified. If a firewall's logout listener has CSRF protection enabled, a token will be automatically added to the generated URL.