diff options
| -rw-r--r-- | Core/Exception/InvalidCsrfTokenException.php | 12 | ||||
| -rw-r--r-- | Http/Firewall/UsernamePasswordFormAuthenticationListener.php | 25 |
2 files changed, 32 insertions, 5 deletions
diff --git a/Core/Exception/InvalidCsrfTokenException.php b/Core/Exception/InvalidCsrfTokenException.php new file mode 100644 index 0000000..f19bcbf --- /dev/null +++ b/Core/Exception/InvalidCsrfTokenException.php @@ -0,0 +1,12 @@ +<?php + +namespace Symfony\Component\Security\Core\Exception; + +/** + * This exception is thrown when the csrf token is invalid. + * + * @author Johannes M. Schmitt <schmittjoh@gmail.com> + */ +class InvalidCsrfTokenException extends AuthenticationException +{ +}
\ No newline at end of file diff --git a/Http/Firewall/UsernamePasswordFormAuthenticationListener.php b/Http/Firewall/UsernamePasswordFormAuthenticationListener.php index 1ba71ba..0e3b396 100644 --- a/Http/Firewall/UsernamePasswordFormAuthenticationListener.php +++ b/Http/Firewall/UsernamePasswordFormAuthenticationListener.php @@ -11,15 +11,16 @@ namespace Symfony\Component\Security\Http\Firewall; +use Symfony\Component\Form\CsrfProvider\CsrfProviderInterface; +use Symfony\Component\HttpFoundation\Request; +use Symfony\Component\HttpKernel\Log\LoggerInterface; use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface; use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface; use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface; - -use Symfony\Component\Security\Core\SecurityContextInterface; use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface; -use Symfony\Component\HttpKernel\Log\LoggerInterface; -use Symfony\Component\HttpFoundation\Request; use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken; +use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException; +use Symfony\Component\Security\Core\SecurityContextInterface; /** * UsernamePasswordFormAuthenticationListener is the default implementation of @@ -29,16 +30,22 @@ use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken; */ class UsernamePasswordFormAuthenticationListener extends AbstractAuthenticationListener { + protected $csrfProvider; + /** * {@inheritdoc} */ - public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager, SessionAuthenticationStrategyInterface $sessionStrategy, $providerKey, array $options = array(), AuthenticationSuccessHandlerInterface $successHandler = null, AuthenticationFailureHandlerInterface $failureHandler = null, LoggerInterface $logger = null) + public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager, SessionAuthenticationStrategyInterface $sessionStrategy, $providerKey, array $options = array(), AuthenticationSuccessHandlerInterface $successHandler = null, AuthenticationFailureHandlerInterface $failureHandler = null, LoggerInterface $logger = null, CsrfProviderInterface $csrfProvider = null) { parent::__construct($securityContext, $authenticationManager, $sessionStrategy, $providerKey, array_merge(array( 'username_parameter' => '_username', 'password_parameter' => '_password', + 'csrf_parameter' => '_csrf_token', + 'csrf_page_id' => 'form_login', 'post_only' => true, ), $options), $successHandler, $failureHandler, $logger); + + $this->csrfProvider = $csrfProvider; } /** @@ -54,6 +61,14 @@ class UsernamePasswordFormAuthenticationListener extends AbstractAuthenticationL return null; } + if (null !== $this->csrfProvider) { + $csrfToken = $request->get($this->options['csrf_parameter']); + + if (false === $this->csrfProvider->isTokenValid($this->options['csrf_page_id'], $csrfToken)) { + throw new InvalidCsrfTokenException('Invalid CSRF token.'); + } + } + $username = trim($request->get($this->options['username_parameter'])); $password = $request->get($this->options['password_parameter']); |