vendor/symfony/security-http/Firewall/ExceptionListener.php line 92

  1. <?php
  3. /*
  4. * This file is part of the Symfony package.
  5. *
  6. * (c) Fabien Potencier <fabien@symfony.com>
  7. *
  8. * For the full copyright and license information, please view the LICENSE
  9. * file that was distributed with this source code.
  10. */
  12. namespace Symfony\Component\Security\Http\Firewall;
  14. use Psr\Log\LoggerInterface;
  15. use Symfony\Component\EventDispatcher\EventDispatcherInterface;
  16. use Symfony\Component\HttpFoundation\Request;
  17. use Symfony\Component\HttpFoundation\Response;
  18. use Symfony\Component\HttpKernel\Event\ExceptionEvent;
  19. use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
  20. use Symfony\Component\HttpKernel\Exception\HttpException;
  21. use Symfony\Component\HttpKernel\HttpKernelInterface;
  22. use Symfony\Component\HttpKernel\KernelEvents;
  23. use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
  24. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  25. use Symfony\Component\Security\Core\Exception\AccessDeniedException;
  26. use Symfony\Component\Security\Core\Exception\AccountStatusException;
  27. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  28. use Symfony\Component\Security\Core\Exception\InsufficientAuthenticationException;
  29. use Symfony\Component\Security\Core\Exception\LazyResponseException;
  30. use Symfony\Component\Security\Core\Exception\LogoutException;
  31. use Symfony\Component\Security\Http\Authorization\AccessDeniedHandlerInterface;
  32. use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
  33. use Symfony\Component\Security\Http\EntryPoint\Exception\NotAnEntryPointException;
  34. use Symfony\Component\Security\Http\HttpUtils;
  35. use Symfony\Component\Security\Http\SecurityRequestAttributes;
  36. use Symfony\Component\Security\Http\Util\TargetPathTrait;
  38. /**
  39. * ExceptionListener catches authentication exception and converts them to
  40. * Response instances.
  41. *
  42. * @author Fabien Potencier <fabien@symfony.com>
  43. *
  44. * @final
  45. */
  46. class ExceptionListener
  47. {
  48. use TargetPathTrait;
  50. private TokenStorageInterface $tokenStorage;
  51. private string $firewallName;
  52. private ?AccessDeniedHandlerInterface $accessDeniedHandler;
  53. private ?AuthenticationEntryPointInterface $authenticationEntryPoint;
  54. private AuthenticationTrustResolverInterface $authenticationTrustResolver;
  55. private ?string $errorPage;
  56. private ?LoggerInterface $logger;
  57. private HttpUtils $httpUtils;
  58. private bool $stateless;
  60. public function __construct(TokenStorageInterface $tokenStorage, AuthenticationTrustResolverInterface $trustResolver, HttpUtils $httpUtils, string $firewallName, ?AuthenticationEntryPointInterface $authenticationEntryPoint = null, ?string $errorPage = null, ?AccessDeniedHandlerInterface $accessDeniedHandler = null, ?LoggerInterface $logger = null, bool $stateless = false)
  61. {
  62. $this->tokenStorage = $tokenStorage;
  63. $this->accessDeniedHandler = $accessDeniedHandler;
  64. $this->httpUtils = $httpUtils;
  65. $this->firewallName = $firewallName;
  66. $this->authenticationEntryPoint = $authenticationEntryPoint;
  67. $this->authenticationTrustResolver = $trustResolver;
  68. $this->errorPage = $errorPage;
  69. $this->logger = $logger;
  70. $this->stateless = $stateless;
  71. }
  73. /**
  74. * Registers a onKernelException listener to take care of security exceptions.
  75. */
  76. public function register(EventDispatcherInterface $dispatcher): void
  77. {
  78. $dispatcher->addListener(KernelEvents::EXCEPTION, $this->onKernelException(...), 1);
  79. }
  81. /**
  82. * Unregisters the dispatcher.
  83. */
  84. public function unregister(EventDispatcherInterface $dispatcher): void
  85. {
  86. $dispatcher->removeListener(KernelEvents::EXCEPTION, $this->onKernelException(...));
  87. }
  89. /**
  90. * Handles security related exceptions.
  91. */
  92. public function onKernelException(ExceptionEvent $event): void
  93. {
  94. $exception = $event->getThrowable();
  95. do {
  96. if ($exception instanceof AuthenticationException) {
  97. $this->handleAuthenticationException($event, $exception);
  99. return;
  100. }
  102. if ($exception instanceof AccessDeniedException) {
  103. $this->handleAccessDeniedException($event, $exception);
  105. return;
  106. }
  108. if ($exception instanceof LazyResponseException) {
  109. $event->setResponse($exception->getResponse());
  111. return;
  112. }
  114. if ($exception instanceof LogoutException) {
  115. $this->handleLogoutException($event, $exception);
  117. return;
  118. }
  119. } while (null !== $exception = $exception->getPrevious());
  120. }
  122. private function handleAuthenticationException(ExceptionEvent $event, AuthenticationException $exception): void
  123. {
  124. $this->logger?->info('An AuthenticationException was thrown; redirecting to authentication entry point.', ['exception' => $exception]);
  126. try {
  127. $event->setResponse($this->startAuthentication($event->getRequest(), $exception));
  128. $event->allowCustomResponseCode();
  129. } catch (\Exception $e) {
  130. $event->setThrowable($e);
  131. }
  132. }
  134. private function handleAccessDeniedException(ExceptionEvent $event, AccessDeniedException $exception): void
  135. {
  136. $event->setThrowable(new AccessDeniedHttpException($exception->getMessage(), $exception));
  138. $token = $this->tokenStorage->getToken();
  139. if (!$this->authenticationTrustResolver->isFullFledged($token)) {
  140. $this->logger?->debug('Access denied, the user is not fully authenticated; redirecting to authentication entry point.', ['exception' => $exception]);
  142. try {
  143. $insufficientAuthenticationException = new InsufficientAuthenticationException('Full authentication is required to access this resource.', 0, $exception);
  144. if (null !== $token) {
  145. $insufficientAuthenticationException->setToken($token);
  146. }
  148. $event->setResponse($this->startAuthentication($event->getRequest(), $insufficientAuthenticationException));
  149. } catch (\Exception $e) {
  150. $event->setThrowable($e);
  151. }
  153. return;
  154. }
  156. $this->logger?->debug('Access denied, the user is neither anonymous, nor remember-me.', ['exception' => $exception]);
  158. try {
  159. if (null !== $this->accessDeniedHandler) {
  160. $response = $this->accessDeniedHandler->handle($event->getRequest(), $exception);
  162. if ($response instanceof Response) {
  163. $event->setResponse($response);
  164. }
  165. } elseif (null !== $this->errorPage) {
  166. $subRequest = $this->httpUtils->createRequest($event->getRequest(), $this->errorPage);
  167. $subRequest->attributes->set(SecurityRequestAttributes::ACCESS_DENIED_ERROR, $exception);
  169. $event->setResponse($event->getKernel()->handle($subRequest, HttpKernelInterface::SUB_REQUEST, true));
  170. $event->allowCustomResponseCode();
  171. }
  172. } catch (\Exception $e) {
  173. $this->logger?->error('An exception was thrown when handling an AccessDeniedException.', ['exception' => $e]);
  175. $event->setThrowable(new \RuntimeException('Exception thrown when handling an exception.', 0, $e));
  176. }
  177. }
  179. private function handleLogoutException(ExceptionEvent $event, LogoutException $exception): void
  180. {
  181. $event->setThrowable(new AccessDeniedHttpException($exception->getMessage(), $exception));
  183. $this->logger?->info('A LogoutException was thrown; wrapping with AccessDeniedHttpException', ['exception' => $exception]);
  184. }
  186. private function startAuthentication(Request $request, AuthenticationException $authException): Response
  187. {
  188. if (null === $this->authenticationEntryPoint) {
  189. $this->throwUnauthorizedException($authException);
  190. }
  192. $this->logger?->debug('Calling Authentication entry point.', ['entry_point' => $this->authenticationEntryPoint]);
  194. if (!$this->stateless) {
  195. $this->setTargetPath($request);
  196. }
  198. if ($authException instanceof AccountStatusException) {
  199. // remove the security token to prevent infinite redirect loops
  200. $this->tokenStorage->setToken(null);
  202. $this->logger?->info('The security token was removed due to an AccountStatusException.', ['exception' => $authException]);
  203. }
  205. try {
  206. $response = $this->authenticationEntryPoint->start($request, $authException);
  207. } catch (NotAnEntryPointException) {
  208. $this->throwUnauthorizedException($authException);
  209. }
  211. if (!$response instanceof Response) {
  212. $given = get_debug_type($response);
  214. throw new \LogicException(sprintf('The "%s::start()" method must return a Response object ("%s" returned).', get_debug_type($this->authenticationEntryPoint), $given));
  215. }
  217. return $response;
  218. }
  220. protected function setTargetPath(Request $request): void
  221. {
  222. // session isn't required when using HTTP basic authentication mechanism for example
  223. if ($request->hasSession() && $request->isMethodSafe() && !$request->isXmlHttpRequest()) {
  224. $this->saveTargetPath($request->getSession(), $this->firewallName, $request->getUri());
  225. }
  226. }
  228. private function throwUnauthorizedException(AuthenticationException $authException): never
  229. {
  230. $this->logger?->notice(sprintf('No Authentication entry point configured, returning a %s HTTP response. Configure "entry_point" on the firewall "%s" if you want to modify the response.', Response::HTTP_UNAUTHORIZED, $this->firewallName));
  232. throw new HttpException(Response::HTTP_UNAUTHORIZED, $authException->getMessage(), $authException, [], $authException->getCode());
  233. }
  234. }