Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit41c7d44

Browse files
Modifications based on feedback by@wouterj and@stof
1 parentd11c0d0 commit41c7d44

File tree

3 files changed

+85
-75
lines changed

3 files changed

+85
-75
lines changed

‎components/security/authentication.rst

Lines changed: 21 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -10,9 +10,7 @@ firewall map is able to extract the user's credentials from the current
1010
a token, containing these credentials. The next thing the listener should
1111
do is ask the authentication manager to validate the given token, and return
1212
an authenticated token when the supplied credentials were found to be valid.
13-
The listener should then store the authenticated token in the security context:
14-
15-
::
13+
The listener should then store the authenticated token in the security context::
1614

1715
use Symfony\Component\Security\Http\Firewall\ListenerInterface;
1816
use Symfony\Component\Security\Core\SecurityContextInterface;
@@ -32,7 +30,9 @@ The listener should then store the authenticated token in the security context:
3230
*/
3331
private $authenticationManager;
3432

35-
// string Uniquely identifies the secured area
33+
/**
34+
* @var string Uniquely identifies the secured area
35+
*/
3636
private $providerKey;
3737

3838
// ...
@@ -65,9 +65,7 @@ The listener should then store the authenticated token in the security context:
6565
The authentication manager
6666
--------------------------
6767

68-
The default authentication manager is an instance of:class:`Symfony\\Component\\Security\\Core\\Authentication\\AuthenticationProviderManager`:
69-
70-
::
68+
The default authentication manager is an instance of:class:`Symfony\\Component\\Security\\Core\\Authentication\\AuthenticationProviderManager`::
7169

7270
use Symfony\Component\Security\Core\Authentication\AuthenticationProviderManager;
7371

@@ -98,9 +96,10 @@ Authentication providers
9896

9997
Each provider (since it implements
10098
:class:`Symfony\\Component\\Security\\Core\\Authentication\\Provider\\AuthenticationProviderInterface`)
101-
has a method ``supports()`` by which the ``AuthenticationProviderManager``
99+
has a method:method:`Symfony\\Component\\Security\\Core\\Authentication\\Provider\\AuthenticationProviderInterface::supports`
100+
by which the ``AuthenticationProviderManager``
102101
can determine if it supports the given token. If this is the case, the
103-
manager then calls the provider's method``authenticate()``. This method
102+
manager then calls the provider's method:class:`Symfony\\Component\\Security\\Core\\Authentication\\Provider\\AuthenticationProviderInterface::authenticate`. This method
104103
should return an authenticated token or throw an:class:`Symfony\\Component\\Security\\Core\\Exception\\AuthenticationException`
105104
(or any other exception extending it).
106105

@@ -117,11 +116,10 @@ from the user data storage, hash the password the user has just provided
117116
the given password is valid.
118117

119118
This functionality is offered by the:class:`Symfony\\Component\\Security\\Core\\Authentication\\Provider\\DaoAuthenticationProvider`.
120-
It fetches the user's data from a ``UserProvider``, uses a ``PasswordEncoder``
119+
It fetches the user's data from a:class:`Symfony\\Component\\Security\\Core\\User\\UserProviderInterface``,
120+
uses a:class:`Symfony\\Component\\Security\\Core\\Encoder\\PasswordEncoderInterface`
121121
to create a hash of the password and returns an authenticated token if the
122-
password was valid.
123-
124-
::
122+
password was valid::
125123

126124
use Symfony\Component\Security\Core\Authentication\Provider\DaoAuthenticationProvider;
127125
use Symfony\Component\Security\Core\User\UserChecker;
@@ -162,13 +160,11 @@ password was valid.
162160
The password encoder factory
163161
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
164162

165-
The ``DaoAuthenticationProvider`` uses an encoder factory to create a password
166-
encoder for a given type of user. This allows you to use different encoding
167-
strategies for different types of users.
168-
The default:class:`Symfony\\Component\\Security\\Core\\Encoder\\EncoderFactory`
169-
receives an array of encoders:
170-
171-
::
163+
The:class:`Symfony\\Component\\Security\\Core\\Authentication\\Provider\\DaoAuthenticationProvider`
164+
uses an encoder factory to create a password encoder for a given type of
165+
user. This allows you to use different encoding strategies for different
166+
types of users. The default:class:`Symfony\\Component\\Security\\Core\\Encoder\\EncoderFactory`
167+
receives an array of encoders::
172168

173169
use Symfony\Component\Security\Core\Encoder\EncoderFactory;
174170
use Symfony\Component\Security\Core\Encoder\MessageDigestPasswordEncoder;
@@ -179,7 +175,7 @@ receives an array of encoders:
179175
$encoders = array(
180176
'Symfony\\Component\\Security\\Core\\User\\User' => $defaultEncoder,
181177
'Acme\\Entity\\LegacyUser' => $weakEncoder,
182-
...
178+
...,
183179
);
184180

185181
$encoderFactory = new EncoderFactory($encoders);
@@ -191,12 +187,10 @@ encoder factory to construct the encoder only when it is needed.
191187
Password encoders
192188
~~~~~~~~~~~~~~~~~
193189

194-
When the ``getEncoder()`` method of the password encoder factory is called
195-
with the user object as its first argument, it will return an encoder of
196-
type:class:`Symfony\\Component\\Security\\Core\\Encoder\\PasswordEncoderInterface`
197-
which should be used to encode this user's password:
198-
199-
::
190+
When the:method:`Symfony\\Component\\Security\\Core\\Encoder\\EncoderFactory::getEncoder`
191+
method of the password encoder factory is called with the user object as
192+
its first argument, it will return an encoder of type:class:`Symfony\\Component\\Security\\Core\\Encoder\\PasswordEncoderInterface`
193+
which should be used to encode this user's password::
200194

201195
// fetch a user of type Acme\Entity\LegacyUser
202196
$user = ...

‎components/security/authorization.rst

Lines changed: 41 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,9 @@ Authorization
77
When any of the authentication providers (see:ref:`authentication_providers`)
88
has verified the still unauthenticated token, an authenticated token will
99
be returned. The authentication listener should set this token directly
10-
in the:class:`Symfony\\Component\\Security\\Core\\SecurityContext` using its
11-
``setToken()`` method.
10+
in the:class:`Symfony\\Component\\Security\\Core\\SecurityContextInterface`
11+
using its:method:`Symfony\\Component\\Security\\Core\\SecurityContextInterface::setToken`
12+
method.
1213

1314
From then on, the user is authenticated, i.e. means identified.
1415
Now, other parts of the application can use the token to decide whether
@@ -18,19 +19,21 @@ This decision will be made by an instance of :class:`Symfony\\Component\\Securit
1819
An authorization decision will always be based on a few things:
1920

2021
The current token
21-
The token`s ``getRoles()`` method will be used to retrieve the roles
22-
of the current user (e.g. "ROLE_SUPER_ADMIN")
22+
For instance, the token's:method:`Symfony\\Component\\Security\\Core\\Authentication\\Token\\TokenInterface::getRoles`
23+
method may be used to retrieve the roles of the current user (e.g.
24+
"ROLE_SUPER_ADMIN"), or a decision may be based on the class of the token.
2325
A set of attributes
2426
Each attribute stands for a certain right the user should have, e.g.
2527
"ROLE_ADMIN" to make sure the user is an administrator.
2628
An object (optional)
2729
Any object on which to decide, e.g. the current:class:`Symfony\\Component\\HttpFoundation\\Request`
28-
object.
30+
object, or an object for which access control needs to be checked, like
31+
an article or a comment object.
2932

3033
Access decision manager
3134
-----------------------
3235

33-
Sincechoosing whether or not a user is authorized to perform a certain
36+
Sincedeciding whether or not a user is authorized to perform a certain
3437
action can be a complicated process, the standard:class:`Symfony\\Component\\Security\\Core\\Authorization\\AccessDecisionManager`
3538
itself depends on multiple voters, and makes a final verdict based on all
3639
the votes (either positive, negative or neutral) it has received. It
@@ -45,7 +48,7 @@ recognizes several strategies:
4548
``unanimous``
4649
Only grant access if none of the voters has denied access
4750

48-
::
51+
..code-block::php
4952
5053
use Symfony\Component\Security\Core\Authorization\AccessDecisionManager;
5154
@@ -61,8 +64,12 @@ recognizes several strategies:
6164
// whether or not to grant access when there is no majority (applies only to the "consensus" strategy)
6265
$allowIfEqualGrantedDeniedDecisions = ...;
6366
64-
$accessDecisionManager = new AccessDecisionManager($voters, $strategy,
65-
$allowIfAllAbstainDecisions, $allowIfEqualGrantedDeniedDecisions);
67+
$accessDecisionManager = new AccessDecisionManager(
68+
$voters,
69+
$strategy,
70+
$allowIfAllAbstainDecisions,
71+
$allowIfEqualGrantedDeniedDecisions
72+
);
6673
6774
Voters
6875
------
@@ -92,7 +99,7 @@ and "IS_AUTHENTICATED_ANONYMOUSLY" and grants access based on the current
9299
level of authentication, i.e. is the user fully authenticated, or only based
93100
on a "remember-me" cookie, or even authenticated anonymously?
94101

95-
::
102+
..code-block::php
96103
97104
use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolver;
98105
@@ -104,19 +111,20 @@ on a "remember-me" cookie, or even authenticated anonymously?
104111
$authenticatedVoter = new AuthenticatedVoter($trustResolver);
105112
106113
// instance of Symfony\Component\Security\Core\Authentication\Token\TokenInterface
107-
$token = ...
114+
$token = ...;
108115
109116
// any object
110-
$object = ...
117+
$object = ...;
111118
112119
$vote = $authenticatedVoter->vote($token, $object, array('IS_AUTHENTICATED_FULLY');
113120
114121
The:class:`Symfony\\Component\\Security\\Core\\Authorization\\Voter\\RoleVoter`
115122
supports attributes starting with "ROLE_" and grants access to the user
116123
when the required "ROLE_*" attributes can all be found in the array of
117-
roles returned by the token's ``getRoles()`` method.
124+
roles returned by the token's:method:`Symfony\\Component\\Security\\Core\\Authentication\\Token\\TokenInterface::getRoles`
125+
method.
118126

119-
::
127+
..code-block::php
120128
121129
use Symfony\Component\Security\Core\Authorization\Voter\RoleVoter;
122130
@@ -133,7 +141,7 @@ user to have the "ROLE_ADMIN" role, it grants access to users who in fact
133141
have the "ROLE_ADMIN" role, but also to users having the "ROLE_SUPER_ADMIN"
134142
role.
135143

136-
::
144+
..code-block::php
137145
138146
use Symfony\Component\Security\Core\Authorization\Voter\RoleHierarchyVoter;
139147
use Symfony\Component\Security\Core\Role\RoleHierarchy;
@@ -156,11 +164,10 @@ Roles
156164

157165
Roles are objects that give expression to a certain right the user has.
158166
The only requirement is that they implement:class:`Symfony\\Component\\Security\\Core\\Role\\RoleInterface`,
159-
which means they should also have a ``getRole()`` method that returns a
160-
string representation of the role itself. The default:class:`Symfony\\Component\\Security\\Core\\Role\\Role`
161-
simply returns its first constructor argument:
162-
163-
::
167+
which means they should also have a:method:`Symfony\\Component\\Security\\Core\\Role\\Role\\RoleInterface::getRole`
168+
method that returns a string representation of the role itself. The default
169+
:class:`Symfony\\Component\\Security\\Core\\Role\\Role` simply returns its
170+
first constructor argument::
164171

165172
use Symfony\Component\Security\Core\Role\Role;
166173

@@ -191,7 +198,7 @@ It uses an access map (which should be an instance of :class:`Symfony\\Component
191198
which contains request matchers and a corresponding set of attributes that
192199
are required for the current user to get access to the application.
193200

194-
::
201+
..code-block::php
195202
196203
use Symfony\Component\Security\Http\AccessMap;
197204
use Symfony\Component\HttpFoundation\RequestMatcher;
@@ -201,23 +208,31 @@ are required for the current user to get access to the application.
201208
$requestMatcher = new RequestMatcher('^/admin');
202209
$accessMap->add($requestMatcher, array('ROLE_ADMIN'));
203210
204-
$accessListener = new AccessListener($securityContext, $accessDecisionManager,
205-
$accessMap, $authenticationManager);
211+
$accessListener = new AccessListener(
212+
$securityContext,
213+
$accessDecisionManager,
214+
$accessMap,
215+
$authenticationManager
216+
);
206217
207218
Security context
208219
~~~~~~~~~~~~~~~~
209220

210221
The access decision manager is also available to other parts of the application
211-
by means of the ``isGranted($attribute)`` method of the:class:`Symfony\\Component\\Security\\Core\\SecurityContext`.
222+
by means of the:method:`Symfony\\Component\\Security\\Core\\SecurityContext::isGranted`
223+
method of the:class:`Symfony\\Component\\Security\\Core\\SecurityContext`.
212224
A call to this method will directly delegate the question to the access
213225
decision manager.
214226

215-
::
227+
..code-block::php
216228
217229
use Symfony\Component\Security\SecurityContext;
218230
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
219231
220-
$securityContext = new SecurityContext();
232+
$securityContext = new SecurityContext(
233+
$authenticationManager,
234+
$accessDecisionManager
235+
);
221236
222237
if (!$securityContext->isGranted('ROLE_ADMIN')) {
223238
throw new AccessDeniedException();

‎components/security/firewall.rst

Lines changed: 23 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ steps in the process of authenticating the user have been taken successfully,
1010
the security context may be asked if the authenticated user has access
1111
to a certain action or resource of the application.
1212

13-
::
13+
..code-block::php
1414
1515
use Symfony\Component\Security\SecurityContext;
1616
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
@@ -36,7 +36,7 @@ ability to find out if the current request points to a secured area.
3636
The listeners are then asked if the current request can be used to authenticate
3737
the user.
3838

39-
::
39+
..code-block::php
4040
4141
use Symfony\Component\Security\Http\FirewallMap;
4242
use Symfony\Component\HttpFoundation\RequestMatcher;
@@ -56,12 +56,13 @@ the user.
5656
The firewall map will be given to the firewall as it's first argument, together
5757
with the event dispatcher that is used by the:class:`Symfony\\Component\\HttpKernel\\HttpKernel`.
5858

59-
::
59+
..code-block::php
6060
6161
use Symfony\Component\Security\Http\Firewall;
6262
use Symfony\Component\HttpKernel\KernelEvents;
6363
64-
// $dispatcher is the EventDispatcher used by the HttpKernel
64+
// the EventDispatcher used by the HttpKernel
65+
$dispatcher = ...;
6566
6667
$firewall = new Firewall($map, $dispatcher);
6768
@@ -78,27 +79,27 @@ Firewall listeners
7879
------------------
7980

8081
When the firewall gets notified of the ``kernel.request`` event, it asks
81-
the firewall map if the request matchesany of the secured areas.If it
82-
does,thecorresponding listeners (who each implement
83-
:class:`Symfony\\Component\\Security\\Http\\Firewall\\ListenerInterface`)
84-
will be asked to handle the current request. This basically means: find
85-
out if the current request contains any information by which the user might
86-
be authenticated (for instance the Basic HTTP authentication listener checks
87-
if the request has a header called "PHP_AUTH_USER").
82+
the firewall map if the request matchesone of the secured areas.The first
83+
secured area that matchestherequest, will return a set of corresponding
84+
firewall listeners (which each implement:class:`Symfony\\Component\\Security\\Http\\Firewall\\ListenerInterface`).
85+
These listenerswillallbe asked to handle the current request. This basically
86+
means: findout if the current request contains any information by which
87+
the user mightbe authenticated (for instance the Basic HTTP authentication
88+
listener checksif the request has a header called "PHP_AUTH_USER").
8889

8990
Exception listener
9091
------------------
9192

92-
If any of the listeners throws an:class:`Symfony\\Component\\Security\\Core\\Exception\\AuthenticationException`
93-
(or anyexceptionextending this exception), the exception listener that
94-
was provided when adding secured areas to thefirewall map will jump in.
93+
If any of the listeners throws an:class:`Symfony\\Component\\Security\\Core\\Exception\\AuthenticationException`,
94+
theexceptionlistener that was provided when adding secured areas to the
95+
firewall map will jump in.
9596

9697
The exception listener determines what happens next, based on the arguments
9798
it received when it was created. It may start the authentication procedure,
9899
maybe ask the user to supply his credentials again (when he has only been
99100
authenticated based on a "remember-me" cookie), or transform the exception
100101
into an:class:`Symfony\\Component\\HttpKernel\\Exception\\AccessDeniedHttpException`,
101-
which will eventually result in an "HTTP/1.1401: Access Denied" response.
102+
which will eventually result in an "HTTP/1.1403: Access Denied" response.
102103

103104
Entry points
104105
------------
@@ -107,10 +108,10 @@ When the user is not authenticated at all (i.e. when the security context
107108
has no token yet), the firewall's entry point will be called to "start"
108109
the authentication process. An entry point should implement
109110
:class:`Symfony\\Component\\Security\\Http\\EntryPoint\\AuthenticationEntryPointInterface`,
110-
which has only one method:``start()``. This method receives the
111-
current:class:`Symfony\\Component\\HttpFoundation\\Request` object and
112-
the exception by which the exception listener was triggered. The method
113-
should return a:class:`Symfony\\Component\\HttpFoundation\\Response` object,
114-
for instance the page containing the login form, or in the case of Basic
115-
HTTP authentication a response with a "WWW-Authenticate" header, which will
116-
prompt the user to supply his username and password.
111+
which has only one method::method:`Symfony\\Component\\Security\\Http\\EntryPoint\\AuthenticationEntryPointInterface::start`.
112+
This method receives thecurrent:class:`Symfony\\Component\\HttpFoundation\\Request`
113+
object andthe exception by which the exception listener was triggered.
114+
The methodshould return a:class:`Symfony\\Component\\HttpFoundation\\Response`
115+
object,for instance the page containing the login form, or in the case
116+
of BasicHTTP authentication a response with a "WWW-Authenticate" header,
117+
which willprompt the user to supply his username and password.

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp