- Deprecated class
LdapUserProvider, useSymfony\Component\Ldap\Security\LdapUserProviderinstead - Added method
needsRehash()toPasswordEncoderInterfaceandUserPasswordEncoderInterface - Added
MigratingPasswordEncoder - Added and implemented
PasswordUpgraderInterface, for opportunistic password migrations - Added
Guard\PasswordAuthenticatedInterface, an optional interface for "guard" authenticators that deal with user passwords - Marked all dispatched event classes as
@final - Deprecated returning a non-boolean value when implementing
Guard\AuthenticatorInterface::checkCredentials(). - Deprecated passing more than one attribute to
AccessDecisionManager::decide()andAuthorizationChecker::isGranted() - Added new
argon2idencoder, undeprecated thebcryptandargon2iones (usingautois still recommended by default.) - Added
AbstractListenerwhich replaces the deprecatedListenerInterface
- Added methods
__serializeand__unserializeto theTokenInterface - Added
SodiumPasswordEncoderandNativePasswordEncoder - The
RoleandSwitchUserRoleclasses are deprecated and will be removed in 5.0. Use strings for roles instead. - The
getReachableRoles()method of theRoleHierarchyInterfaceis deprecated and will be removed in 5.0. Role hierarchies must implement thegetReachableRoleNames()method instead and return roles as strings. - The
getRoles()method of theTokenInterfaceis deprecated. Tokens must implement thegetRoleNames()method instead and return roles as strings. - Made the
serialize()andunserialize()methods ofAbstractTokenandAuthenticationExceptionfinal, use__serialize()/__unserialize()instead AuthenticationExceptiondoesn't implementSerializableanymore- Deprecated the
ListenerInterface, turn your listeners into callables instead - Deprecated
Firewall::handleRequest(), useFirewall::callListeners()instead - Dispatch
AuthenticationSuccessEventonsecurity.authentication.success - Dispatch
AuthenticationFailureEventonsecurity.authentication.failure - Dispatch
InteractiveLoginEventonsecurity.interactive_login - Dispatch
SwitchUserEventonsecurity.switch_user - Deprecated
Argon2iPasswordEncoder, useSodiumPasswordEncoderinstead - Deprecated
BCryptPasswordEncoder, useNativePasswordEncoderinstead - Added
DeauthenticatedEventdispatched in case the user has changed when trying to refresh the token
- added the
is_granted()function in security expressions - deprecated the
has_role()function in security expressions, useis_granted()instead - Passing custom class names to the
Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverto define custom anonymous and remember me token classes is deprecated. To use custom tokens, extend the existingSymfony\Component\Security\Core\Authentication\Token\AnonymousTokenorSymfony\Component\Security\Core\Authentication\Token\RememberMeToken. - allow passing null as $filter in LdapUserProvider to get the default filter
- accessing the user object that is not an instance of
UserInterfacefromSecurity::getUser()is deprecated - Deprecated
SimpleAuthenticatorInterface,SimpleFormAuthenticatorInterface,SimplePreAuthenticatorInterface,SimpleAuthenticationProvider,SimpleAuthenticationHandler,SimpleFormAuthenticationListenerandSimplePreAuthenticationListener. Use Guard instead.
- The
ContextListener::setLogoutOnUserChange()method is deprecated. - added
UserValueResolver. - Using the AdvancedUserInterface is now deprecated. To use the existing
functionality, create a custom user-checker based on the
Symfony\Component\Security\Core\User\UserChecker. AuthenticationUtils::getLastUsername()now always returns a string.
- The
AbstractFormLoginAuthenticator::onAuthenticationSuccess()was removed. You should implement this method yourself in your concrete authenticator. - removed the
AccessDecisionManager::setVoters()method - removed the
RoleInterface - removed support for voters that don't implement the
VoterInterface - added a sixth
string $contextargument toLogoutUrlGenerator::registerListener() - removed HTTP digest authentication
- removed
GuardAuthenticatorInterfacein favor ofAuthenticatorInterface - removed
AbstractGuardAuthenticator::supports() - added target user to
SwitchUserListener
- Added
getUser,getTokenandisGrantedmethods toSecurity. - added a
setToken()method to theSwitchUserEventclass to allow to replace the created token while switching users when custom token generation is required by application. - Using voters that do not implement the
VoterInterfaceis now deprecated in theAccessDecisionManagerand this functionality will be removed in 4.0. - Using the
ContextListenerwithout setting thelogoutOnUserChangeproperty will trigger a deprecation when the user has changed. As of 4.0 the user will always be logged out when the user has changed between requests. - deprecated HTTP digest authentication
- Added a new password encoder for the Argon2i hashing algorithm
- deprecated
GuardAuthenticatorInterfacein favor ofAuthenticatorInterface - deprecated to return
nullfromgetCredentials()in classes that extendAbstractGuardAuthenticator. Returnfalsefromsupports()instead.
- deprecated
AccessDecisionManager::setVoters()in favor of passing the voters to the constructor. - [EXPERIMENTAL] added a
json_loginlistener for stateless authentication
- added
$attributesand$subjectwith getters/setters toSymfony\Component\Security\Core\Exception\AccessDeniedException
- removed all deprecated code
- deprecated
getKey()of theAnonymousToken,RememberMeToken,AbstractRememberMeServicesandDigestAuthenticationEntryPointclasses in favor ofgetSecret(). - deprecated
Symfony\Component\Security\Core\Authentication\SimplePreAuthenticatorInterface, useSymfony\Component\Security\Http\Authentication\SimplePreAuthenticatorInterfaceinstead - deprecated
Symfony\Component\Security\Core\Authentication\SimpleFormAuthenticatorInterface, useSymfony\Component\Security\Http\Authentication\SimpleFormAuthenticatorInterfaceinstead - deprecated
Symfony\Component\Security\Core\Util\ClassUtils, useSymfony\Component\Security\Acl\Util\ClassUtilsinstead - deprecated the
Symfony\Component\Security\Core\Util\SecureRandomclass in favor of therandom_bytes()function - deprecated
supportsAttribute()andsupportsClass()methods ofSymfony\Component\Security\Core\Authorization\AccessDecisionManagerInterfaceandSymfony\Component\Security\Core\Authorization\Voter\VoterInterface. - deprecated
getSupportedAttributes()andgetSupportedClasses()methods ofSymfony\Component\Security\Core\Authorization\Voter\AbstractVoter, usesupports()instead. - deprecated the
intentionoption for all the authentication listeners, use thecsrf_token_idoption instead.
- added LogoutUrlGenerator
- added the triggering of the
Symfony\Component\Security\Http\SecurityEvents::INTERACTIVE_LOGINinSymfony\Component\Security\Http\Firewall\SimplePreAuthenticationListener - The MaskBuilder logic has been abstracted in the
Symfony\Component\Security\Acl\Permission\AbstractMaskBuilderand described in theSymfony\Component\Security\Acl\Permission\MaskBuilderInterface - added interface
Symfony\Component\Security\Acl\Permission\MaskBuilderRetrievalInterface
- added Symfony\Component\Security\Http\Authentication\AuthenticationUtils
- Deprecated the
SecurityContextclass in favor of theAuthorizationCheckerandTokenStorageclasses
- Translations in the
src/Symfony/Component/Security/Resources/translations/directory are deprecated, ones insrc/Symfony/Component/Security/Core/Resources/translations/must be used instead. - The switch user listener now preserves the query string when switching a user
- The remember-me cookie hashes now use HMAC, which means that current cookies will be invalidated
- added simpler customization options
- structured component into three sub-components Acl, Core and Http
- added Csrf sub-component
- changed Http sub-component to depend on Csrf sub-component instead of the Form component
- [BC BREAK] the BCrypt encoder constructor signature has changed (the first argument was removed) To use the BCrypt encoder, you now need PHP 5.5 or "ircmaxell/password-compat" as a composer dependency
- [BC BREAK] return 401 instead of 500 when using use_forward during for form authentication
- added a
require_previous_sessionoption toAbstractAuthenticationListener
Symfony\Component\Security\Http\FirewallandSymfony\Component\Security\Http\RememberMe\ResponseListenernow implements EventSubscriberInterface- added secure random number generator
- added PBKDF2 Password encoder
- added BCrypt password encoder
- [BC BREAK] The signature of ExceptionListener has changed
- changed the HttpUtils constructor signature to take a UrlGenerator and a UrlMatcher instead of a Router
- EncoderFactoryInterface::getEncoder() can now also take a class name as an argument
- allow switching to the user that is already impersonated
- added support for the remember_me parameter in the query
- added AccessMapInterface
- [BC BREAK] moved user comparison logic out of UserInterface
- made the logout path check configurable
- after login, the user is now redirected to
default_target_pathifuse_refereris true and the referrer is thelogin_path. - added a way to remove a token from a session
- [BC BREAK] changed
MutableAclInterface::setParentAclto acceptnull, review your implementation to reflect this change. ObjectIdentity::fromDomainObject,UserSecurityIdentity::fromAccountandUserSecurityIdentity::fromTokennow return correct identities for proxies objects (e.g. Doctrine proxies)- [BC BREAK] moved the default authentication success and failure handling to
separate classes. The order of arguments in the constructor of the
AbstractAuthenticationListenerhas changed. - [BC BREAK] moved the default logout success handling to a separate class. The
order of arguments in the constructor of
LogoutListenerhas changed. - [BC BREAK] The constructor of
AuthenticationExceptionand all child classes now matches the constructor of\Exception. The extra information getters and setters are removed. There are now dedicated getters/setters for token (AuthenticationException'), user (AccountStatusException) and username (UsernameNotFoundException`).