symfony · fabpot · Sep 26, 2017 · Sep 26, 2017
diff --git a/UPGRADE-3.4.md b/UPGRADE-3.4.md
@@ -252,6 +252,13 @@ Profiler
 
  * The `profiler.matcher` option has been deprecated.
 
+Security
+--------
+
+ * Deprecated the HTTP digest authentication: `NonceExpiredException`, 
+   `DigestAuthenticationListener` and `DigestAuthenticationEntryPoint` will be 
+   removed in 4.0. Use another authentication system like `http_basic` instead.
+
 SecurityBundle
 --------------
 
@@ -272,6 +279,9 @@ SecurityBundle
  * Added `logout_on_user_change` to the firewall options. This config item will
    trigger a logout when the user has changed. Should be set to true to avoid
    deprecations in the configuration.
+
+ * Deprecated the HTTP digest authentication: `HttpDigestFactory` will be removed in 4.0.
+   Use another authentication system like `http_basic` instead.
 
 Translation
 -----------

diff --git a/UPGRADE-4.0.md b/UPGRADE-4.0.md
@@ -645,6 +645,10 @@ Security
  * Calling `ContextListener::setLogoutOnUserChange(false)` won't have any
    effect anymore.
 
+ * Removed the HTTP digest authentication system. The `NonceExpiredException`,
+   `DigestAuthenticationListener` and `DigestAuthenticationEntryPoint` classes
+   have been removed. Use another authentication system like `http_basic` instead.
+
 SecurityBundle
 --------------
 
@@ -665,6 +669,9 @@ SecurityBundle
 
  * The firewall option `logout_on_user_change` is now always true, which will
    trigger a logout if the user changes between requests.
+
+ * Removed the HTTP digest authentication system. The `HttpDigestFactory` class
+   has been removed. Use another authentication system like `http_basic` instead.
 
 Serializer
 ----------

diff --git a/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md b/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
@@ -16,6 +16,7 @@ CHANGELOG
  * Added `logout_on_user_change` to the firewall options. This config item will
    trigger a logout when the user has changed. Should be set to true to avoid
    deprecations in the configuration.
+ * deprecated HTTP digest authentication
 
 3.3.0
 -----

diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/HttpDigestFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/HttpDigestFactory.php
@@ -20,9 +20,18 @@
  * HttpDigestFactory creates services for HTTP digest authentication.
  *
  * @author Fabien Potencier <fabien@symfony.com>
+ *
+ * @deprecated since 3.4, to be removed in 4.0
  */
 class HttpDigestFactory implements SecurityFactoryInterface
 {
+    public function __construct($triggerDeprecation = true)
+    {
+        if ($triggerDeprecation) {
+            @trigger_error(sprintf('The %s class and the whole HTTP digest authentication system is deprecated since 3.4 and will be removed in 4.0.', __CLASS__), E_USER_DEPRECATED);
+        }
+    }
+
     public function create(ContainerBuilder $container, $id, $config, $userProvider, $defaultEntryPoint)
     {
         $provider = 'security.authentication.provider.dao.'.$id;
@@ -59,6 +68,7 @@ public function getKey()
     public function addConfiguration(NodeDefinition $node)
     {
         $node
+            ->setDeprecated('The HTTP digest authentication is deprecated since 3.4 and will be removed in 4.0.')
             ->children()
                 ->scalarNode('provider')->end()
                 ->scalarNode('realm')->defaultValue('Secured Area')->end()

diff --git a/src/Symfony/Bundle/SecurityBundle/SecurityBundle.php b/src/Symfony/Bundle/SecurityBundle/SecurityBundle.php
@@ -47,7 +47,7 @@ public function build(ContainerBuilder $container)
         $extension->addSecurityListenerFactory(new JsonLoginFactory());
         $extension->addSecurityListenerFactory(new HttpBasicFactory());
         $extension->addSecurityListenerFactory(new HttpBasicLdapFactory());
-        $extension->addSecurityListenerFactory(new HttpDigestFactory());
+        $extension->addSecurityListenerFactory(new HttpDigestFactory(false));
         $extension->addSecurityListenerFactory(new RememberMeFactory());
         $extension->addSecurityListenerFactory(new X509Fa
A3D4
ctory());
         $extension->addSecurityListenerFactory(new RemoteUserFactory());

diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php
@@ -86,6 +86,131 @@ public function testFirewalls()
         $configs[0][2] = strtolower($configs[0][2]);
         $configs[2][2] = strtolower($configs[2][2]);
 
+        $this->assertEquals(array(
+            array(
+                'simple',
+                'security.user_checker',
+                'security.request_matcher.6tndozi',
+                false,
+            ),
+            array(
+                'secure',
+                'security.user_checker',
+                null,
+                true,
+                true,
+                'security.user.provider.concrete.default',
+                null,
+                'security.authentication.form_entry_point.secure',
+                null,
+                null,
+                array(
+                    'logout',
+                    'switch_user',
+                    'x509',
+                    'remote_user',
+                    'form_login',
+                    'http_basic',
+                    'remember_me',
+                    'anonymous',
+                ),
+                array(
+                    'parameter' => '_switch_user',
+                    'role' => 'ROLE_ALLOWED_TO_SWITCH',
+                ),
+            ),
+            array(
+                'host',
+                'security.user_checker',
+                'security.request_matcher.and0kk1',
+                true,
+                false,
+                'security.user.provider.concrete.default',
+                'host',
+                'security.authentication.basic_entry_point.host',
+                null,
+                null,
+                array(
+                    'http_basic',
+                    'anonymous',
+                ),
+                null,
+            ),
+            array(
+                'with_user_checker',
+                'app.user_checker',
+                null,
+                true,
+                false,
+                'security.user.provider.concrete.default',
+                'with_user_checker',
+                'security.authentication.basic_entry_point.with_user_checker',
+                null,
+                null,
+                array(
+                    'http_basic',
+                    'anonymous',
+                ),
+                null,
+            ),
+        ), $configs);
+
+        $this->assertEquals(array(
+            array(),
+            array(
+                'security.channel_listener',
+                'security.logout_listener.secure',
+                'security.authentication.listener.x509.secure',
+                'security.authentication.listener.remote_user.secure',
+                'security.authentication.listener.form.secure',
+                'security.authentication.listener.basic.secure',
+                'security.authentication.listener.rememberme.secure',
+                'security.authentication.listener.anonymous.secure',
+                'security.authentication.switchuser_listener.secure',
+                'security.access_listener',
+            ),
+            array(
+                'security.channel_listener',
+                'security.context_listener.0',
+                'security.authentication.listener.basic.host',
+                'security.authentication.listener.anonymous.host',
+                'security.access_listener',
+            ),
+            array(
+                'security.channel_listener',
+                'security.context_listener.1',
+                'security.authentication.listener.basic.with_user_checker',
+                'security.authentication.listener.anonymous.with_user_checker',
+                'security.access_listener',
+            ),
+        ), $listeners);
+
+        $this->assertFalse($container->hasAlias('Symfony\Component\Security\Core\User\UserCheckerInterface', 'No user checker alias is registered when custom user checker services are registered'));
+    }
+
+    /**
+     * @group legacy
+     */
+    public function testFirewallsWithDigest()
+    {
+        $container = $this->getContainer('container1_with_digest');
+        $arguments = $container->getDefinition('security.firewall.map')->getArguments();
+        $listeners = array();
+        $configs = array();
+        foreach (array_keys($arguments[1]->getValues()) as $contextId) {
+            $contextDef = $container->getDefinition($contextId);
+            $arguments = $contextDef->getArguments();
+            $listeners[] = array_map('strval', $arguments['index_0']->getValues());
+
+            $configDef = $container->getDefinition((string) $arguments['index_2']);
+            $configs[] = array_values($configDef->getArguments());
+        }
+
+        // the IDs of the services are case sensitive or insensitive depending on
+        // the Symfony version. Transform them to lowercase to simplify tests.
+        $configs[0][2] = strtolower($configs[0][2]);
+        $configs[2][2] = strtolower($configs[2][2]);
+
         $this->assertEquals(array(
             array(
                 'simple',

diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1.php
@@ -64,7 +64,6 @@
         'simple' => array('pattern' => '/login', 'security' => false),
         'secure' => array('stateless' => true,
             'http_basic' => true,
-            'http_digest' => array('secret' => 'TheSecret'),
             'form_login' => true,
             'anonymous' => true,
             'switch_user' => true,

diff --git a/...y/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1_with_digest.php b/...y/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/container1_with_digest.php
@@ -0,0 +1,105 @@
+<?php
+
+$container->loadFromExtension('security', array(
+    'acl' => array(),
+    'encoders' => array(
+        'JMS\FooBundle\Entity\User1' => 'plaintext',
+        'JMS\FooBundle\Entity\User2' => array(
+            'algorithm' => 'sha1',
+            'encode_as_base64' => false,
+            'iterations' => 5,
+        ),
+        'JMS\FooBundle\Entity\User3' => array(
+            'algorithm' => 'md5',
+        ),
+        'JMS\FooBundle\Entity\User4' => array(
+            'id' => 'security.encoder.foo',
+        ),
+        'JMS\FooBundle\Entity\User5' => array(
+            'algorithm' => 'pbkdf2',
+            'hash_algorithm' => 'sha1',
+            'encode_as_base64' => false,
+            'iterations' => 5,
+            'key_length' => 30,
+        ),
+        'JMS\FooBundle\Entity\User6' => array(
+            'algorithm' => 'bcrypt',
+            'cost' => 15,
+        ),
+    ),
+    'providers' => array(
+        'default' => array(
+            'memory' => array(
+                'users' => array(
+                    'foo' => array('password' => 'foo', 'roles' => 'ROLE_USER'),
+                ),
+            ),
+        ),
+        'digest' => array(
+            'memory' => array(
+                'users' => array(
+                    'foo' => array('password' => 'foo', 'roles' => 'ROLE_USER, ROLE_ADMIN'),
+                ),
+            ),
+        ),
+        'basic' => array(
+            'memory' => array(
+                'users' => array(
+                    'foo' => array('password' => '0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33', 'roles' => 'ROLE_SUPER_ADMIN'),
+                    'bar' => array('password' => '0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33', 'roles' => array('ROLE_USER', 'ROLE_ADMIN')),
+                ),
+            ),
+        ),
+        'service' => array(
+            'id' => 'user.manager',
+        ),
+        'chain' => array(
+            'chain' => array(
+                'providers' => array('service', 'basic'),
+            ),
+        ),
+    ),
+
+    'firewalls' => array(
+        'simple' => array('pattern' => '/login', 'security' => false),
+        'secure' => array('stateless' => true,
+            'http_basic' => true,
+            'http_digest' => array('secret' => 'TheSecret'),
+            'form_login' => true,
+            'anonymous' => true,
+            'switch_user' => true,
+            'x509' => true,
+            'remote_user' => true,
+            'logout' => true,
+            'remember_me' => array('secret' => 'TheSecret'),
+            'user_checker' => null,
+            'logout_on_user_change' => true,
+        ),
+        'host' => array(
+            'pattern' => '/test',
+            'host' => 'foo\\.example\\.org',
+            'methods' => array('GET', 'POST'),
+            'anonymous' => true,
+            'http_basic' => true,
+            'logout_on_user_change' => true,
+        ),
+        'with_user_checker' => array(
+            'user_checker' => 'app.user_checker',
+            'anonymous' => true,
+            'http_basic' => true,
+            'logout_on_user_change' => true,
+        ),
+    ),
+
+    'access_control' => array(
+        array('path' => '/blog/524', 'role' => 'ROLE_USER', 'requires_channel' => 'https', 'methods' => array('get', 'POST')),
+        array('path' => '/blog/.*', 'role' => 'IS_AUTHENTICATED_ANONYMOUSLY'),
+        array('path' => '/blog/524', 'role' => 'IS_AUTHENTICATED_ANONYMOUSLY', 'allow_if' => "token.getUsername() matches '/^admin/'"),
+    ),
+
+    'role_hierarchy' => array(
+        'ROLE_ADMIN' => 'ROLE_USER',
+        'ROLE_SUPER_ADMIN' => array('ROLE_USER', 'ROLE_ADMIN', 'ROLE_ALLOWED_TO_SWITCH'),
+        'ROLE_REMOTE' => 'ROLE_USER,ROLE_ADMIN',
+    ),
+));
diff --git a/...y/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/no_custom_user_checker.php b/...y/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/no_custom_user_checker.php
@@ -15,7 +15,6 @@
         'secure' => array(
             'stateless' => true,
             'http_basic' => true,
-            'http_digest' => array('secret' => 'TheSecret'),
             'form_login' => true,
             'anonymous' => true,
             'switch_user' => true,

diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/container1.xml b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/container1.xml
@@ -49,7 +49,6 @@
 
         <firewall name="secure" stateless="true">
             <http-basic />
-            <http-digest secret="TheSecret" />
             <form-login />
             <anonymous />
             <switch-user />