@@ -1203,7 +1203,8 @@ Thanks to the SensioFrameworkExtraBundle, you can also secure your controller us
12031203 // ...
12041204 }
12051205
1206- For more information, see the `FrameworkExtraBundle documentation `_.
1206+ For more information, see the
1207+ `FrameworkExtraBundle documentation <http://symfony.com/doc/master/bundles/SensioFrameworkExtraBundle/annotations/security.html >`_.
12071208
12081209Securing other Services
12091210~~~~~~~~~~~~~~~~~~~~~~~
@@ -1566,30 +1567,57 @@ is available by calling the PHP function :phpfunction:`hash_algos`.
15661567Determining the Hashed Password
15671568...............................
15681569
1570+ ..versionadded ::2.6
1571+ The ``security.password_encoder `` service was introduced in Symfony 2.6.
1572+
15691573If you're storing users in the database and you have some sort of registration
15701574form for users, you'll need to be able to determine the hashed password so
15711575that you can set it on your user before inserting it. No matter what algorithm
15721576you configure for your user object, the hashed password can always be determined
15731577in the following way from a controller::
15741578
1575- $factory = $this->get('security.encoder_factory');
15761579 $user = new Acme\UserBundle\Entity\User();
1580+ $plainPassword = 'ryanpass';
1581+ $encoded = $this->container->get('security.password_encoder')
1582+ ->encodePassword($user, $plainPassword);
15771583
1578- $encoder = $factory->getEncoder($user);
1579- $password = $encoder->encodePassword('ryanpass', $user->getSalt());
1580- $user->setPassword($password);
1584+ $user->setPassword($encoded);
15811585
15821586In order for this to work, just make sure that you have the encoder for your
15831587user class (e.g. ``Acme\UserBundle\Entity\User ``) configured under the ``encoders ``
15841588key in ``app/config/security.yml ``.
15851589
1590+ ..sidebar ::Get the User Encoder
1591+
1592+ In some cases, you need a specific encoder for a given user (e.g. ``Acme\UserBundle\Entity\User ``).
1593+ You can use the ``EncoderFactory `` to get this encoder::
1594+
1595+ $factory = $this->get('security.encoder_factory');
1596+ $user = new Acme\UserBundle\Entity\User();
1597+
1598+ $encoder = $factory->getEncoder($user);
1599+
15861600..caution ::
15871601
15881602 When you allow a user to submit a plaintext password (e.g. registration
15891603 form, change password form), you *must * have validation that guarantees
15901604 that the password is 4096 characters or less. Read more details in
15911605:ref: `How to implement a simple Registration Form <cookbook-registration-password-max >`.
15921606
1607+ Validating a Plaintext Password
1608+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1609+
1610+ Sometimes you want to check if a plain password is valid for a given user::
1611+
1612+ // a user instance of some class which implements Symfony\Component\Security\Core\User\UserInterface
1613+ $user = ...;
1614+
1615+ // the password that should be checked
1616+ $plainPassword = ...;
1617+
1618+ $isValidPassword = $this->container->get('security.password_encoder')
1619+ ->isPasswordValid($user, $plainPassword);
1620+
15931621Retrieving the User Object
15941622~~~~~~~~~~~~~~~~~~~~~~~~~~
15951623
@@ -2303,7 +2331,6 @@ Learn more from the Cookbook
23032331*:doc: `/cookbook/security/remember_me `
23042332*:doc: `How to Restrict Firewalls to a Specific Request </cookbook/security/firewall_restriction >`
23052333
2306- .. _`FrameworkExtraBundle documentation` :http://symfony.com/doc/master/bundles/SensioFrameworkExtraBundle/annotations/security.html
23072334.. _`FOSUserBundle` :https://github.com/FriendsOfSymfony/FOSUserBundle
23082335.. _`implement the\S erializable interface` :http://php.net/manual/en/class.serializable.php
23092336.. _`Timing attack` :http://en.wikipedia.org/wiki/Timing_attack