8000 [Security] Implement support for CSRF tokens in logout URL's by jmikola · Pull Request #3007 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

[Security] Implement support for CSRF tokens in logout URL's #3007

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Mar 5, 2012
Merged

[Security] Implement support for CSRF tokens in logout URL's #3007

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
c48c775
[SecurityBundle] Add functional test for form login with CSRF token
jmikola Dec 31, 2011
b1f545b
[Security] Refactor LogoutListener constructor to take options
jmikola Dec 29, 2011
aaaa040
[Security] Allow LogoutListener to validate CSRF tokens
jmikola Dec 30, 2011
66722b3
[SecurityBundle] Templating helpers to generate logout URL's with CSR…
jmikola Dec 31, 2011
4837407
[SecurityBundle] Fix execution of functional tests with different names
jmikola Dec 31, 2011
a96105e
[SecurityBundle] Use assertCount() in tests
jmikola Dec 31, 2011
49a8654
[Security] Use LogoutException for invalid CSRF token in LogoutListener
jmikola Feb 6, 2012
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
[Security] Use LogoutException for invalid CSRF token in LogoutListener 
On the advice of @schmittjoh, this commit adds a LogoutException class for use by LogoutListener if the CSRF token is invalid.

The handling in the Security component's ExceptionListener is modeled after AccessDeniedException, which gets wrapped in an AccessDeniedHttpException in the absence of handler service or error page (I didn't think it was appropriate to re-use those for LogoutException).
  • Loading branch information
@jmikola
jmikola committed Feb 15, 2012
commit 49a8654cb8074f648cd13060a2b85ccd2f136c75
25 changes: 25 additions & 0 deletions src/Symfony/Component/Security/Core/Exception/LogoutException.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
<?php

/*
* This file is part of the Symfony package.
*
* (c) Fabien Potencier <fabien@symfony.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/

namespace Symfony\Component\Security\Core\Exception;

/**
* LogoutException is thrown when the account cannot be logged out.
*
* @author Jeremy Mikola <jmikola@gmail.com>
*/
class LogoutException extends \RuntimeException
{
public function __construct($message = 'Logout Exception', \Exception $previous = null)
{
parent::__construct($message, 403, $previous);
}
}
9 changes: 9 additions & 0 deletions src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
use Symfony\Component\Security\Core\Exception\InsufficientAuthenticationException;
use Symfony\Component\Security\Core\Exception\LogoutException;
use Symfony\Component\Security\Http\HttpUtils;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpKernel\Log\LoggerInterface;
Expand Down Expand Up @@ -140,6 +141,14 @@ public function onKernelException(GetResponseForExceptionEvent $event)
return;
}
}
} elseif ($exception instanceof LogoutException) {
if (null !== $this->logger) {
$this->logger->info(sprintf('Logout exception occurred; wrapping with AccessDeniedHttpException (%s)', $exception->getMessage()));
}

$event->setException(new AccessDeniedHttpException($exception->getMessage(), $exception));

return;
} else {
return;
}
Expand Down
4 changes: 2 additions & 2 deletions src/Symfony/Component/Security/Http/Firewall/LogoutListener.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Event\GetResponseEvent;
use Symfony\Component\Security\Core\SecurityContextInterface;
use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException;
use Symfony\Component\Security\Core\Exception\LogoutException;
use Symfony\Component\Security\Http\HttpUtils;
use Symfony\Component\Security\Http\Logout\LogoutHandlerInterface;
use Symfony\Component\Security\Http\Logout\LogoutSuccessHandlerInterface;
Expand Down Expand Up @@ -91,7 +91,7 @@ public function handle(GetResponseEvent $event)
$csrfToken = $request->get($this->options['csrf_parameter'], null, true);

if (false === $this->csrfProvider->isCsrfTokenValid($this->options['intention'], $csrfToken)) {
throw new InvalidCsrfTokenException('Invalid CSRF token.');
throw new LogoutException('Invalid CSRF token.');
}
}

Expand Down
2 changes: 1 addition & 1 deletion tests/Symfony/Tests/Component/Security/Http/Firewall/LogoutListenerTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -145,7 +145,7 @@ public function testSuccessHandlerReturnsNonResponse()
}

/**
* @expectedException Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException
* @expectedException Symfony\Component\Security\Core\Exception\LogoutException
*/
public function testCsrfValidationFails()
{
Expand Down
0