* * For the full copyright and license information, please view the LICENSE * file that was distributed with this source code. */ namespace Symfony\Component\Security\Http\Firewall; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Response; use Symfony\Component\HttpKernel\Event\GetResponseEvent; use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface; use Symfony\Component\Security\Core\Exception\LogoutException; use Symfony\Component\Security\Csrf\CsrfToken; use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface; use Symfony\Component\Security\Http\HttpUtils; use Symfony\Component\Security\Http\Logout\LogoutHandlerInterface; use Symfony\Component\Security\Http\Logout\LogoutSuccessHandlerInterface; use Symfony\Component\Security\Http\ParameterBagUtils; /** * LogoutListener logout users. * * @author Fabien Potencier */ class LogoutListener implements ListenerInterface { private $tokenStorage; private $options; private $handlers; private $successHandler; private $httpUtils; private $csrfTokenManager; /** * Constructor. * * @param TokenStorageInterface $tokenStorage * @param HttpUtils $httpUtils An HttpUtilsInterface instance * @param LogoutSuccessHandlerInterface $successHandler A LogoutSuccessHandlerInterface instance * @param array $options An array of options to process a logout attempt * @param CsrfTokenManagerInterface $csrfTokenManager A CsrfTokenManagerInterface instance */ public function __construct(TokenStorageInterface $tokenStorage, HttpUtils $httpUtils, LogoutSuccessHandlerInterface $successHandler, array $options = array(), CsrfTokenManagerInterface $csrfTokenManager = null) { $this->tokenStorage = $tokenStorage; $this->httpUtils = $httpUtils; $this->options = array_merge(array( 'csrf_parameter' => '_csrf_token', 'csrf_token_id' => 'logout', 'logout_path' => '/logout', ), $options); $this->successHandler = $successHandler; $this->csrfTokenManager = $csrfTokenManager; $this->handlers = array(); } /** * Adds a logout handler. * * @param LogoutHandlerInterface $handler */ public function addHandler(LogoutHandlerInterface $handler) { $this->handlers[] = $handler; } /** * Performs the logout if requested. * * If a CsrfTokenManagerInterface instance is available, it will be used to * validate the request. * * @param GetResponseEvent $event A GetResponseEvent instance * * @throws LogoutException if the CSRF token is invalid * @throws \RuntimeException if the LogoutSuccessHandlerInterface instance does not return a response */ public function handle(GetResponseEvent $event) { $request = $event->getRequest(); if (!$this->requiresLogout($request)) { return; } if (null !== $this->csrfTokenManager) { $csrfToken = ParameterBagUtils::getRequestParameterValue($request, $this->options['csrf_parameter']); if (false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['csrf_token_id'], $csrfToken))) { throw new LogoutException('Invalid CSRF token.'); } } $response = $this->successHandler->onLogoutSuccess($request); if (!$response instanceof Response) { throw new \RuntimeException('Logout Success Handler did not return a Response.'); } // handle multiple logout attempts gracefully if ($token = $this->tokenStorage->getToken()) { foreach ($this->handlers as $handler) { $handler->logout($request, $response, $token); } } $this->tokenStorage->setToken(null); $event->setResponse($response); } /** * Whether this request is asking for logout. * * The default implementation only processed requests to a specific path, * but a subclass could change this to logout requests where * certain parameters is present. * * @param Request $request * * @return bool */ protected function requiresLogout(Request $request) { return $this->httpUtils->checkRequestPath($request, $this->options['logout_path']); } }