在我的新symfony 5.3项目中,我刚刚实现了新的身份验证系统,它工作得很好,但我的问题是我无法自定义身份验证错误:
方法:onauthenticationfailure在AbstractLoginFormAuthenticator但在我看来,它只显示会话错误这是正常的,因为我的控制器调用了getLastAuthenticationError()方法。
但是我如何显示自定义错误呢CustomUserMessageAuthenticationException在我看来?
我AbstractLoginFormAuthenticator
namespace SymfonyComponentSecurityHttpAuthenticator;
use SymfonyComponentHttpFoundationRequest;
use SymfonyComponentSecurityCoreSecurity;
use SymfonyComponentHttpFoundationResponse;
use SymfonyComponentHttpFoundationRedirectResponse;
use SymfonyComponentSecurityCoreExceptionAuthenticationException;
use SymfonyComponentSecurityHttpEntryPointAuthenticationEntryPointInterface;
use SymfonyComponentSecurityCoreExceptionCustomUserMessageAuthenticationException;
/**
* A base class to make form login authentication easier!
*
* @author Ryan Weaver <ryan@symfonycasts.com>
*/
abstract class AbstractLoginFormAuthenticator extends AbstractAuthenticator implements AuthenticationEntryPointInterface, InteractiveAuthenticatorInterface
{
/**
* Return the URL to the login page.
*/
abstract protected function getLoginUrl(Request $request): string;
/**
* {@inheritdoc}
*
* Override to change the request conditions that have to be
* matched in order to handle the login form submit.
*
* This default implementation handles all POST requests to the
* login path (@see getLoginUrl()).
*/
public function supports(Request $request): bool
{
return $request->isMethod('POST') && $this->getLoginUrl($request) === $request->getPathInfo();
}
/**
* Override to change what happens after a bad username/password is submitted.
*/
public function onAuthenticationFailure(Request $request, AuthenticationException $exception): Response
{
if ($request->hasSession()) {
//$request->getSession()->set(Security::AUTHENTICATION_ERROR, $exception);
throw new CustomUserMessageAuthenticationException('error custom ');
}
$url = $this->getLoginUrl($request);
return new RedirectResponse($url);
}
/**
* Override to control what happens when the user hits a secure page
* but isn't logged in yet.
*/
public function start(Request $request, AuthenticationException $authException = null): Response
{
$url = $this->getLoginUrl($request);
return new RedirectResponse($url);
}
public function isInteractive(): bool
{
return true;
}
}
我SecurityController:
namespace AppController;
use AppEntityUser;
use DateTimeImmutable;
use AppFormRegistrationType;
use DoctrineORMEntityManagerInterface;
use SymfonyComponentHttpFoundationRequest;
use SymfonyComponentHttpFoundationResponse;
use SymfonyComponentRoutingAnnotationRoute;
use SymfonyBundleFrameworkBundleControllerAbstractController;
use SymfonyComponentSecurityHttpAuthenticationAuthenticationUtils;
use SymfonyComponentPasswordHasherHasherUserPasswordHasherInterface;
class SecurityController extends AbstractController {
/**
* @Route("/test", name="test")
*/
public function test(Request $request, Response $response){
return $this->render('test.html.twig');
dump($response);
}
/**
* @Route("/login", name="app_login")
*/
public function login(AuthenticationUtils $authenticationUtils): Response
{
// if ($this->getUser()) {
// return $this->redirectToRoute('target_path');
// }
// get the login error if there is one
$error = $authenticationUtils->getLastAuthenticationError();
// last username entered by the user
$lastUsername = $authenticationUtils->getLastUsername();
return $this->render('security/login.html.twig', ['last_username' => $lastUsername, 'error' => $error]);
}
/**
* @Route("/logout", name="app_logout")
*/
public function logout(): void
{
throw new LogicException('This method can be blank - it will be intercepted by the logout key on your firewall.');
}
/**
* @Route("/Inscription", name="registration")
*/
public function registration(EntityManagerInterface $manager, Request $request, UserPasswordHasherInterface $passwordEncoder): Response
{
$user = new User;
$registrationForm = $this->createForm(RegistrationType::class, $user);
$registrationForm->handleRequest($request);
if($registrationForm->isSubmitted() && $registrationForm->isValid()){
$plainPassword = $registrationForm->getData()->getPassword();
$user->setPassword($passwordEncoder->hashPassword($user, $plainPassword));
$user->setCreatedAt( new DateTimeImmutable('NOW'));
$user->setRoles($user->getRoles());
$manager->persist($user);
$manager->flush();
}
return $this->render('security/registration.html.twig',
['registrationForm' => $registrationForm->createView()]);
}
}
my view twig(loginform):
{% block title %}Log in!{% endblock %}
{% block body %}
<form method="post">
{% if error %}
<div class="alert alert-danger">{{ error.messageKey|trans(error.messageData, 'security') }}</div>
{% endif %}
{% if app.user %}
<div class="mb-3">
You are logged in as {{ app.user.username }}, <a href="{{ path('app_logout') }}">Logout</a>
</div>
{% endif %}
<h1 class="h3 mb-3 font-weight-normal">Please sign in</h1>
<label for="inputEmail">Email</label>
<input type="email" value="{{ last_username }}" name="email" id="inputEmail" class="form-control" autocomplete="email" required autofocus>
<label for="inputPassword">Password</label>
<input type="password" name="password" id="inputPassword" class="form-control" autocomplete="current-password" required>
<input type="hidden" name="_csrf_token"
value="{{ csrf_token('authenticate') }}"
>
{#
Uncomment this section and add a remember_me option below your firewall to activate remember me functionality.
See https://symfony.com/doc/current/security/remember_me.html
<div class="checkbox mb-3">
<label>
<input type="checkbox" name="_remember_me"> Remember me
</label>
</div>
#}
<button class="btn btn-lg btn-primary" type="submit">
Sign in
</button>
</form>
{% endblock %}
您应该扩展和覆盖AbstractLoginFormAuthenticator,而不是直接修改它。
为什么你的方法不起作用
简而言之,您需要在到达onAuthenticationFailure()之前抛出异常,因为AuthenticationException是Symfony调用onAuthenticationFailure()的原因。
onAuthenticationFailure()方法处理从AuthenticatorManager::executeAuthenticator()进程抛出的AuthenticationException。
try {
// get the passport from the Authenticator
$passport = $authenticator->authenticate($request);
//...
} catch (AuthenticationException $e) {
// oh no! Authentication failed!
$response = $this->handleAuthenticationFailure($e, $request, $authenticator, $passport);
// ...
}
//...
private function handleAuthenticationFailure(AuthenticationException $authenticationException, Request $request, AuthenticatorInterface $authenticator, ?PassportInterface $passport): ?Response
{
// Avoid leaking error details in case of invalid user (e.g. user not found or invalid account status)
// to prevent user enumeration via response content comparison
if ($this->hideUserNotFoundExceptions && ($authenticationException instanceof UsernameNotFoundException || ($authenticationException instanceof AccountStatusException && !$authenticationException instanceof CustomUserMessageAccountStatusException))) {
$authenticationException = new BadCredentialsException('Bad credentials.', 0, $authenticationException);
}
$response = $authenticator->onAuthenticationFailure($request, $authenticationException);
//...
}
AbstractLoginFormAuthenticator::onAuthenticationFailure()的默认功能使用$request->getSession()->set(Security::AUTHENTICATION_ERROR, $exception);,这是添加来自异常的消息,该消息通过调用AuthenticationUtils::getLastAuthenticationError();(调用$session->get(Security::AUTHENTICATION_ERROR);)来检索
public function getLastAuthenticationError(bool $clearSession = true)
{
$request = $this->getRequest();
$authenticationException = null;
//...
if ($request->hasSession() && ($session = $request->getSession())->has(Security::AUTHENTICATION_ERROR)) {
$authenticationException = $session->get(Security::AUTHENTICATION_ERROR);
//...
}
return $authenticationException;
}
如何显示自定义错误信息
在应用程序中有不同的点被调用,在那里你可以抛出传递给onAuthenticationFailure()的异常。
默认情况下,Symfony使用安全配置设置来生成通用消息,但可以通过在您的类中实现它们来覆盖它们。
由于异常被上面提到的条件覆盖。
if ($this->hideUserNotFoundExceptions && !$e instanceof CustomUserMessageAccountStatusException) {
throw new BadCredentialsException('Bad credentials.', 0, $e);
}
您需要禁用hide_user_not_found,否则CustomUserMessageAuthenticationException将被BadCredentialsException('Bad credentials.')异常所取代。
否则跳过禁用hide_user_not_found并抛出CustomUserMessageAccountStatusException而不是CustomUserMessageAuthenticationException。
# /config/packages/security.yaml
security:
# ...
hide_user_not_found: false
firewalls:
# ...
在Authenticator类
最新的用法参考,请阅读默认的FormLoginAuthenticator。由于Symfony转换网站上的教程没有针对Symfony 5进行更新。
use SymfonyComponentSecurityHttpAuthenticatorAbstractLoginFormAuthenticator;
class MyLoginFormAuthenticator extends AbstractLoginFormAuthenticator
{
//...
public function getCredentials(Request $request)
{
//...
throw new CustomUserMessageAuthenticationException('Custom Error');
}
public function authenticate(Request $request): PassportInterface
{
//general usage of how the other exceptions are thrown here
$credentials = $this->getCredentials($request);
$method = 'loadUserByIdentifier';
$badge = new UserBadge($credentials['username'], [$this->userProvider, $method]),
$user = $badge->getUser(); //UserRepository::loadUserByIdentifier()
//...
throw new CustomUserMessageAuthenticationException('Custom Error');
}
}
在UserProvider类
中class UserRepository extends ServiceEntityRepository implements UserProviderInterface
{
//....
public function loadUserByIdentifier(string $identifier)
{
throw new CustomUserMessageAuthenticationException('Custom Error');
//...
}
public function loadUserByUsername(string $username)
{
return $this->loadUserByIdentifier($username);
}
}
在UserChecker类
use SymfonyComponentSecurityCoreUser{UserCheckerInterface, UserInterface};
class UserChecker implements UserCheckerInterface
{
public function checkPreAuth(UserInterface $user): void
{
throw new CustomUserMessageAuthenticationException('Custom Error');
//...
}
public function checkPostAuth(UserInterface $user): void
{
throw new CustomUserMessageAuthenticationException('Custom Error');
//...
}
}