vendor/symfony/security-http/Firewall/ExceptionListener.php line 92

  1. <?php
  3. /*
  4.  * This file is part of the Symfony package.
  5.  *
  6.  * (c) Fabien Potencier <fabien@symfony.com>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace Symfony\Component\Security\Http\Firewall;
  14. use Psr\Log\LoggerInterface;
  15. use Symfony\Component\EventDispatcher\EventDispatcherInterface;
  16. use Symfony\Component\HttpFoundation\Request;
  17. use Symfony\Component\HttpFoundation\Response;
  18. use Symfony\Component\HttpKernel\Event\ExceptionEvent;
  19. use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
  20. use Symfony\Component\HttpKernel\Exception\HttpException;
  21. use Symfony\Component\HttpKernel\HttpKernelInterface;
  22. use Symfony\Component\HttpKernel\KernelEvents;
  23. use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
  24. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  25. use Symfony\Component\Security\Core\Exception\AccessDeniedException;
  26. use Symfony\Component\Security\Core\Exception\AccountStatusException;
  27. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  28. use Symfony\Component\Security\Core\Exception\InsufficientAuthenticationException;
  29. use Symfony\Component\Security\Core\Exception\LazyResponseException;
  30. use Symfony\Component\Security\Core\Exception\LogoutException;
  31. use Symfony\Component\Security\Http\Authorization\AccessDeniedHandlerInterface;
  32. use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
  33. use Symfony\Component\Security\Http\EntryPoint\Exception\NotAnEntryPointException;
  34. use Symfony\Component\Security\Http\HttpUtils;
  35. use Symfony\Component\Security\Http\SecurityRequestAttributes;
  36. use Symfony\Component\Security\Http\Util\TargetPathTrait;
  38. /**
  39.  * ExceptionListener catches authentication exception and converts them to
  40.  * Response instances.
  41.  *
  42.  * @author Fabien Potencier <fabien@symfony.com>
  43.  *
  44.  * @final
  45.  */
  46. class ExceptionListener
  47. {
  48.     use TargetPathTrait;
  50.     private TokenStorageInterface $tokenStorage;
  51.     private string $firewallName;
  52.     private ?AccessDeniedHandlerInterface $accessDeniedHandler;
  53.     private ?AuthenticationEntryPointInterface $authenticationEntryPoint;
  54.     private AuthenticationTrustResolverInterface $authenticationTrustResolver;
  55.     private ?string $errorPage;
  56.     private ?LoggerInterface $logger;
  57.     private HttpUtils $httpUtils;
  58.     private bool $stateless;
  60.     public function __construct(TokenStorageInterface $tokenStorageAuthenticationTrustResolverInterface $trustResolverHttpUtils $httpUtilsstring $firewallNameAuthenticationEntryPointInterface $authenticationEntryPoint nullstring $errorPage nullAccessDeniedHandlerInterface $accessDeniedHandler nullLoggerInterface $logger nullbool $stateless false)
  61.     {
  62.         $this->tokenStorage $tokenStorage;
  63.         $this->accessDeniedHandler $accessDeniedHandler;
  64.         $this->httpUtils $httpUtils;
  65.         $this->firewallName $firewallName;
  66.         $this->authenticationEntryPoint $authenticationEntryPoint;
  67.         $this->authenticationTrustResolver $trustResolver;
  68.         $this->errorPage $errorPage;
  69.         $this->logger $logger;
  70.         $this->stateless $stateless;
  71.     }
  73.     /**
  74.      * Registers a onKernelException listener to take care of security exceptions.
  75.      */
  76.     public function register(EventDispatcherInterface $dispatcher)
  77.     {
  78.         $dispatcher->addListener(KernelEvents::EXCEPTION$this->onKernelException(...), 1);
  79.     }
  81.     /**
  82.      * Unregisters the dispatcher.
  83.      */
  84.     public function unregister(EventDispatcherInterface $dispatcher)
  85.     {
  86.         $dispatcher->removeListener(KernelEvents::EXCEPTION$this->onKernelException(...));
  87.     }
  89.     /**
  90.      * Handles security related exceptions.
  91.      */
  92.     public function onKernelException(ExceptionEvent $event)
  93.     {
  94.         $exception $event->getThrowable();
  95.         do {
  96.             if ($exception instanceof AuthenticationException) {
  97.                 $this->handleAuthenticationException($event$exception);
  99.                 return;
  100.             }
  102.             if ($exception instanceof AccessDeniedException) {
  103.                 $this->handleAccessDeniedException($event$exception);
  105.                 return;
  106.             }
  108.             if ($exception instanceof LazyResponseException) {
  109.                 $event->setResponse($exception->getResponse());
  111.                 return;
  112.             }
  114.             if ($exception instanceof LogoutException) {
  115.                 $this->handleLogoutException($event$exception);
  117.                 return;
  118.             }
  119.         } while (null !== $exception $exception->getPrevious());
  120.     }
  122.     private function handleAuthenticationException(ExceptionEvent $eventAuthenticationException $exception): void
  123.     {
  124.         $this->logger?->info('An AuthenticationException was thrown; redirecting to authentication entry point.', ['exception' => $exception]);
  126.         try {
  127.             $event->setResponse($this->startAuthentication($event->getRequest(), $exception));
  128.             $event->allowCustomResponseCode();
  129.         } catch (\Exception $e) {
  130.             $event->setThrowable($e);
  131.         }
  132.     }
  134.     private function handleAccessDeniedException(ExceptionEvent $eventAccessDeniedException $exception)
  135.     {
  136.         $event->setThrowable(new AccessDeniedHttpException($exception->getMessage(), $exception));
  138.         $token $this->tokenStorage->getToken();
  139.         if (!$this->authenticationTrustResolver->isFullFledged($token)) {
  140.             $this->logger?->debug('Access denied, the user is not fully authenticated; redirecting to authentication entry point.', ['exception' => $exception]);
  142.             try {
  143.                 $insufficientAuthenticationException = new InsufficientAuthenticationException('Full authentication is required to access this resource.'0$exception);
  144.                 if (null !== $token) {
  145.                     $insufficientAuthenticationException->setToken($token);
  146.                 }
  148.                 $event->setResponse($this->startAuthentication($event->getRequest(), $insufficientAuthenticationException));
  149.             } catch (\Exception $e) {
  150.                 $event->setThrowable($e);
  151.             }
  153.             return;
  154.         }
  156.         $this->logger?->debug('Access denied, the user is neither anonymous, nor remember-me.', ['exception' => $exception]);
  158.         try {
  159.             if (null !== $this->accessDeniedHandler) {
  160.                 $response $this->accessDeniedHandler->handle($event->getRequest(), $exception);
  162.                 if ($response instanceof Response) {
  163.                     $event->setResponse($response);
  164.                 }
  165.             } elseif (null !== $this->errorPage) {
  166.                 $subRequest $this->httpUtils->createRequest($event->getRequest(), $this->errorPage);
  167.                 $subRequest->attributes->set(SecurityRequestAttributes::ACCESS_DENIED_ERROR$exception);
  169.                 $event->setResponse($event->getKernel()->handle($subRequestHttpKernelInterface::SUB_REQUESTtrue));
  170.                 $event->allowCustomResponseCode();
  171.             }
  172.         } catch (\Exception $e) {
  173.             $this->logger?->error('An exception was thrown when handling an AccessDeniedException.', ['exception' => $e]);
  175.             $event->setThrowable(new \RuntimeException('Exception thrown when handling an exception.'0$e));
  176.         }
  177.     }
  179.     private function handleLogoutException(ExceptionEvent $eventLogoutException $exception): void
  180.     {
  181.         $event->setThrowable(new AccessDeniedHttpException($exception->getMessage(), $exception));
  183.         $this->logger?->info('A LogoutException was thrown; wrapping with AccessDeniedHttpException', ['exception' => $exception]);
  184.     }
  186.     private function startAuthentication(Request $requestAuthenticationException $authException): Response
  187.     {
  188.         if (null === $this->authenticationEntryPoint) {
  189.             $this->throwUnauthorizedException($authException);
  190.         }
  192.         $this->logger?->debug('Calling Authentication entry point.', ['entry_point' => $this->authenticationEntryPoint]);
  194.         if (!$this->stateless) {
  195.             $this->setTargetPath($request);
  196.         }
  198.         if ($authException instanceof AccountStatusException) {
  199.             // remove the security token to prevent infinite redirect loops
  200.             $this->tokenStorage->setToken(null);
  202.             $this->logger?->info('The security token was removed due to an AccountStatusException.', ['exception' => $authException]);
  203.         }
  205.         try {
  206.             $response $this->authenticationEntryPoint->start($request$authException);
  207.         } catch (NotAnEntryPointException) {
  208.             $this->throwUnauthorizedException($authException);
  209.         }
  211.         if (!$response instanceof Response) {
  212.             $given get_debug_type($response);
  214.             throw new \LogicException(sprintf('The "%s::start()" method must return a Response object ("%s" returned).'get_debug_type($this->authenticationEntryPoint), $given));
  215.         }
  217.         return $response;
  218.     }
  220.     protected function setTargetPath(Request $request)
  221.     {
  222.         // session isn't required when using HTTP basic authentication mechanism for example
  223.         if ($request->hasSession() && $request->isMethodSafe() && !$request->isXmlHttpRequest()) {
  224.             $this->saveTargetPath($request->getSession(), $this->firewallName$request->getUri());
  225.         }
  226.     }
  228.     private function throwUnauthorizedException(AuthenticationException $authException)
  229.     {
  230.         $this->logger?->notice(sprintf('No Authentication entry point configured, returning a %s HTTP response. Configure "entry_point" on the firewall "%s" if you want to modify the response.'Response::HTTP_UNAUTHORIZED$this->firewallName));
  232.         throw new HttpException(Response::HTTP_UNAUTHORIZED$authException->getMessage(), $authException, [], $authException->getCode());
  233.     }
  234. }