diff options
| author | Jeremy Mikola <jmikola@gmail.com> | 2012-02-06 14:54:38 -0500 |
|---|---|---|
| committer | Jeremy Mikola <jmikola@gmail.com> | 2012-02-14 19:03:52 -0500 |
| commit | dc06bea6d334604e95f5f050cfe9866e5ed4cde7 (patch) | |
| tree | 0ce7370fb59b115767b1cfc899143e82fffe35b0 /Http | |
| parent | 0924bcd2ebc4ec0ad510aea6df4034bb2e716c03 (diff) | |
| download | symfony-security-dc06bea6d334604e95f5f050cfe9866e5ed4cde7.zip symfony-security-dc06bea6d334604e95f5f050cfe9866e5ed4cde7.tar.gz symfony-security-dc06bea6d334604e95f5f050cfe9866e5ed4cde7.tar.bz2 | |
[Security] Use LogoutException for invalid CSRF token in LogoutListener
On the advice of @schmittjoh, this commit adds a LogoutException class for use by LogoutListener if the CSRF token is invalid.
The handling in the Security component's ExceptionListener is modeled after AccessDeniedException, which gets wrapped in an AccessDeniedHttpException in the absence of handler service or error page (I didn't think it was appropriate to re-use those for LogoutException).
Diffstat (limited to 'Http')
| -rw-r--r-- | Http/Firewall/ExceptionListener.php | 9 | ||||
| -rw-r--r-- | Http/Firewall/LogoutListener.php | 4 |
2 files changed, 11 insertions, 2 deletions
diff --git a/Http/Firewall/ExceptionListener.php b/Http/Firewall/ExceptionListener.php index 674c648..0996ab2 100644 --- a/Http/Firewall/ExceptionListener.php +++ b/Http/Firewall/ExceptionListener.php @@ -20,6 +20,7 @@ use Symfony\Component\Security\Core\Exception\AccountStatusException; use Symfony\Component\Security\Core\Exception\AuthenticationException; use Symfony\Component\Security\Core\Exception\AccessDeniedException; use Symfony\Component\Security\Core\Exception\InsufficientAuthenticationException; +use Symfony\Component\Security\Core\Exception\LogoutException; use Symfony\Component\Security\Http\HttpUtils; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpKernel\Log\LoggerInterface; @@ -140,6 +141,14 @@ class ExceptionListener return; } } + } elseif ($exception instanceof LogoutException) { + if (null !== $this->logger) { + $this->logger->info(sprintf('Logout exception occurred; wrapping with AccessDeniedHttpException (%s)', $exception->getMessage())); + } + + $event->setException(new AccessDeniedHttpException($exception->getMessage(), $exception)); + + return; } else { return; } diff --git a/Http/Firewall/LogoutListener.php b/Http/Firewall/LogoutListener.php index f4d0b2c..59172dc 100644 --- a/Http/Firewall/LogoutListener.php +++ b/Http/Firewall/LogoutListener.php @@ -16,7 +16,7 @@ use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Response; use Symfony\Component\HttpKernel\Event\GetResponseEvent; use Symfony\Component\Security\Core\SecurityContextInterface; -use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException; +use Symfony\Component\Security\Core\Exception\LogoutException; use Symfony\Component\Security\Http\HttpUtils; use Symfony\Component\Security\Http\Logout\LogoutHandlerInterface; use Symfony\Component\Security\Http\Logout\LogoutSuccessHandlerInterface; @@ -91,7 +91,7 @@ class LogoutListener implements ListenerInterface $csrfToken = $request->get($this->options['csrf_parameter'], null, true); if (false === $this->csrfProvider->isCsrfTokenValid($this->options['intention'], $csrfToken)) { - throw new InvalidCsrfTokenException('Invalid CSRF token.'); + throw new LogoutException('Invalid CSRF token.'); } } |