[Security] Deprecate callable firewall listeners

MatTheCat · MatTheCat · commit 3b041a7bec20 · 2025-06-17T16:05:40.000+02:00
diff --git a/UPGRADE-7.4.md b/UPGRADE-7.4.md
@@ -22,3 +22,8 @@ HttpClient
 ----------
 
  * Deprecate using amphp/http-client < 5
+
+Security
+--------
+
+ * Deprecate callable firewall listeners, extend `AbstractListener` or implement `FirewallListenerInterface` instead
diff --git a/src/Symfony/Bundle/SecurityBundle/Debug/TraceableFirewallListener.php b/src/Symfony/Bundle/SecurityBundle/Debug/TraceableFirewallListener.php
@@ -16,6 +16,7 @@
 use Symfony\Bundle\SecurityBundle\Security\LazyFirewallContext;
 use Symfony\Component\HttpKernel\Event\RequestEvent;
 use Symfony\Component\Security\Http\Authenticator\Debug\TraceableAuthenticatorManagerListener;
+use Symfony\Component\Security\Http\Firewall\AbstractListener;
 use Symfony\Component\Security\Http\Firewall\FirewallListenerInterface;
 use Symfony\Contracts\Service\ResetInterface;
 
diff --git a/src/Symfony/Bundle/SecurityBundle/Security/FirewallContext.php b/src/Symfony/Bundle/SecurityBundle/Security/FirewallContext.php
@@ -12,6 +12,7 @@
 namespace Symfony\Bundle\SecurityBundle\Security;
 
 use Symfony\Component\Security\Http\Firewall\ExceptionListener;
+use Symfony\Component\Security\Http\Firewall\FirewallListenerInterface;
 use Symfony\Component\Security\Http\Firewall\LogoutListener;
 
 /**
@@ -39,7 +40,7 @@ public function getConfig(): ?FirewallConfig
     }
 
     /**
-     * @return iterable<mixed, callable>
+     * @return iterable<mixed, FirewallListenerInterface|callable>
      */
     public function getListeners(): iterable
     {
diff --git a/src/Symfony/Bundle/SecurityBundle/Security/LazyFirewallContext.php b/src/Symfony/Bundle/SecurityBundle/Security/LazyFirewallContext.php
@@ -11,9 +11,11 @@
 
 namespace Symfony\Bundle\SecurityBundle\Security;
 
+use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Event\RequestEvent;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
 use Symfony\Component\Security\Http\Event\LazyResponseEvent;
+use Symfony\Component\Security\Http\Firewall\AbstractListener;
 use Symfony\Component\Security\Http\Firewall\ExceptionListener;
 use Symfony\Component\Security\Http\Firewall\FirewallListenerInterface;
 use Symfony\Component\Security\Http\Firewall\LogoutListener;
@@ -23,7 +25,7 @@
  *
  * @author Nicolas Grekas <p@tchwork.com>
  */
-class LazyFirewallContext extends FirewallContext
+class LazyFirewallContext extends FirewallContext implements FirewallListenerInterface
 {
     public function __construct(
         iterable $listeners,
@@ -40,19 +42,26 @@ public function getListeners(): iterable
         return [$this];
     }
 
-    public function __invoke(RequestEvent $event): void
+    public function supports(Request $request): ?bool
+    {
+        return true;
+    }
+
+    public function authenticate(RequestEvent $event): void
     {
         $listeners = [];
         $request = $event->getRequest();
         $lazy = $request->isMethodCacheable();
 
         foreach (parent::getListeners() as $listener) {
-            if (!$lazy || !$listener instanceof FirewallListenerInterface) {
+            if (!$listener instanceof FirewallListenerInterface) {
+                trigger_deprecation('symfony/security-http', '7.4', 'Using a callable as firewall listener is deprecated, extend "%s" or implement "%s" instead.', AbstractListener::class, FirewallListenerInterface::class);
+
                 $listeners[] = $listener;
-                $lazy = $lazy && $listener instanceof FirewallListenerInterface;
+                $lazy = false;
             } elseif (false !== $supports = $listener->supports($request)) {
                 $listeners[] = [$listener, 'authenticate'];
-                $lazy = null === $supports;
+                $lazy = $lazy && null === $supports;
             }
         }
 
@@ -75,4 +84,14 @@ public function __invoke(RequestEvent $event): void
             }
         });
     }
+
+    public static function getPriority(): int
+    {
+        return 0;
+    }
+
+    public function __invoke(RequestEvent $event): void
+    {
+        $this->authenticate($event);
+    }
 }
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DataCollector/SecurityDataCollectorTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DataCollector/SecurityDataCollectorTest.php
@@ -32,6 +32,7 @@
 use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
 use Symfony\Component\Security\Core\Role\RoleHierarchy;
 use Symfony\Component\Security\Core\User\InMemoryUser;
+use Symfony\Component\Security\Http\Firewall\FirewallListenerInterface;
 use Symfony\Component\Security\Http\FirewallMapInterface;
 use Symfony\Component\Security\Http\Logout\LogoutUrlGenerator;
 use Symfony\Component\VarDumper\Caster\ClassStub;
@@ -193,8 +194,24 @@ public function testGetListeners()
         $request = new Request();
         $event = new RequestEvent($this->createMock(HttpKernelInterface::class), $request, HttpKernelInterface::MAIN_REQUEST);
         $event->setResponse($response = new Response());
-        $listener = function ($e) use ($event, &$listenerCalled) {
-            $listenerCalled += $e === $event;
+        $listener = new class implements FirewallListenerInterface
+        {
+            public int $callCount = 0;
+
+            public function supports(Request $request): ?bool
+            {
+                return true;
+            }
+
+            public function authenticate(RequestEvent $event): void
+            {
+                ++$this->callCount;
+            }
+
+            public static function getPriority(): int
+            {
+                return 0;
+            }
         };
         $firewallMap = $this
             ->getMockBuilder(FirewallMap::class)
@@ -217,9 +234,9 @@ public function testGetListeners()
         $collector = new SecurityDataCollector(null, null, null, null, $firewallMap, $firewall, true);
         $collector->collect($request, $response);
 
-        $this->assertNotEmpty($collected = $collector->getListeners()[0]);
+        $this->assertCount(1, $collector->getListeners());
         $collector->lateCollect();
-        $this->assertSame(1, $listenerCalled);
+        $this->assertSame(1, $listener->callCount);
     }
 
     public function testCollectCollectsDecisionLogWhenStrategyIsAffirmative()
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Debug/TraceableFirewallListenerTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/Debug/TraceableFirewallListenerTest.php
@@ -30,6 +30,7 @@
 use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
 use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
 use Symfony\Component\Security\Http\Firewall\AuthenticatorManagerListener;
+use Symfony\Component\Security\Http\Firewall\FirewallListenerInterface;
 use Symfony\Component\Security\Http\Logout\LogoutUrlGenerator;
 
 /**
@@ -41,9 +42,25 @@ public function testOnKernelRequestRecordsListeners()
     {
         $request = new Request();
         $event = new RequestEvent($this->createMock(HttpKernelInterface::class), $request, HttpKernelInterface::MAIN_REQUEST);
-        $event->setResponse($response = new Response());
-        $listener = function ($e) use ($event, &$listenerCalled) {
-            $listenerCalled += $e === $event;
+        $event->setResponse(new Response());
+        $listener = new class implements FirewallListenerInterface
+        {
+            public int $callCount = 0;
+
+            public function supports(Request $request): ?bool
+            {
+                return true;
+            }
+
+            public function authenticate(RequestEvent $event): void
+            {
+                ++$this->callCount;
+            }
+
+            public static function getPriority(): int
+            {
+                return 0;
+            }
         };
         $firewallMap = $this->createMock(FirewallMap::class);
         $firewallMap
diff --git a/src/Symfony/Bundle/SecurityBundle/composer.json b/src/Symfony/Bundle/SecurityBundle/composer.json
@@ -22,6 +22,7 @@
         "symfony/clock": "^6.4|^7.0|^8.0",
         "symfony/config": "^7.3|^8.0",
         "symfony/dependency-injection": "^6.4.11|^7.1.4|^8.0",
+        "symfony/deprecation-contracts": "^2.5|^3",
         "symfony/event-dispatcher": "^6.4|^7.0|^8.0",
         "symfony/http-kernel": "^6.4|^7.0|^8.0",
         "symfony/http-foundation": "^6.4|^7.0|^8.0",
diff --git a/src/Symfony/Component/Security/Http/CHANGELOG.md b/src/Symfony/Component/Security/Http/CHANGELOG.md
@@ -1,6 +1,11 @@
 CHANGELOG
 =========
 
+7.4
+---
+
+* Deprecate callable firewall listeners, extend `AbstractListener` or implement `FirewallListenerInterface` instead
+
 7.3
 ---
 
diff --git a/src/Symfony/Component/Security/Http/Firewall.php b/src/Symfony/Component/Security/Http/Firewall.php
@@ -16,6 +16,7 @@
 use Symfony\Component\HttpKernel\Event\FinishRequestEvent;
 use Symfony\Component\HttpKernel\Event\RequestEvent;
 use Symfony\Component\HttpKernel\KernelEvents;
+use Symfony\Component\Security\Http\Firewall\AbstractListener;
 use Symfony\Component\Security\Http\Firewall\ExceptionListener;
 use Symfony\Component\Security\Http\Firewall\FirewallListenerInterface;
 use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
@@ -123,6 +124,8 @@ protected function callListeners(RequestEvent $event, iterable $listeners)
     {
         foreach ($listeners as $listener) {
             if (!$listener instanceof FirewallListenerInterface) {
+                trigger_deprecation('symfony/security-http', '7.4', 'Using a callable as firewall listener is deprecated, extend "%s" or implement "%s" instead.', AbstractListener::class, FirewallListenerInterface::class);
+            
                 $listener($event);
             } elseif (false !== $listener->supports($event->getRequest())) {
                 $listener->authenticate($event);
@@ -134,8 +137,8 @@ protected function callListeners(RequestEvent $event, iterable $listeners)
         }
     }
 
-    private function getListenerPriority(object $logoutListener): int
+    private function getListenerPriority(object $listener): int
     {
-        return $logoutListener instanceof FirewallListenerInterface ? $logoutListener->getPriority() : 0;
+        return $listener instanceof FirewallListenerInterface ? $listener->getPriority() : 0;
     }
 }
diff --git a/src/Symfony/Component/Security/Http/Tests/FirewallTest.php b/src/Symfony/Component/Security/Http/Tests/FirewallTest.php
@@ -12,6 +12,7 @@
 namespace Symfony\Component\Security\Http\Tests;
 
 use PHPUnit\Framework\TestCase;
+use Symfony\Bridge\PhpUnit\ExpectUserDeprecationMessageTrait;
 use Symfony\Component\EventDispatcher\EventDispatcherInterface;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -25,6 +26,8 @@
 
 class FirewallTest extends TestCase
 {
+    use ExpectUserDeprecationMessageTrait;
+
     public function testOnKernelRequestRegistersExceptionListener()
     {
         $dispatcher = $this->createMock(EventDispatcherInterface::class);
@@ -54,21 +57,26 @@ public function testOnKernelRequestRegistersExceptionListener()
 
     public function testOnKernelRequestStopsWhenThereIsAResponse()
     {
-        $called = [];
+        $listener = new class extends AbstractListener
+        {
+            public int $callCount = 0;
 
-        $first = function () use (&$called) {
-            $called[] = 1;
-        };
+            public function supports(Request $request): ?bool
+            {
+                return true;
+            }
 
-        $second = function () use (&$called) {
-            $called[] = 2;
+            public function authenticate(RequestEvent $event): void
+            {
+                ++$this->callCount;
+            }
         };
 
         $map = $this->createMock(FirewallMapInterface::class);
         $map
             ->expects($this->once())
             ->method('getListeners')
-            ->willReturn([[$first, $second], null, null])
+            ->willReturn([[$listener, $listener], null, null])
         ;
 
         $event = new RequestEvent($this->createMock(HttpKernelInterface::class), new Request(), HttpKernelInterface::MAIN_REQUEST);
@@ -77,7 +85,7 @@ public function testOnKernelRequestStopsWhenThereIsAResponse()
         $firewall = new Firewall($map, $this->createMock(EventDispatcherInterface::class));
         $firewall->onKernelRequest($event);
 
-        $this->assertSame([1], $called);
+        $this->assertSame(1, $listener->callCount);
     }
 
     public function testOnKernelRequestWithSubRequest()
@@ -100,11 +108,10 @@ public function testOnKernelRequestWithSubRequest()
         $this->assertFalse($event->hasResponse());
     }
 
-    public function testListenersAreCalled()
+    public function testFirewallListenersAreCalled()
     {
         $calledListeners = [];
 
-        $callableListener = static function() use(&$calledListeners) { $calledListeners[] = 'callableListener'; };
         $firewallListener = new class($calledListeners) implements FirewallListenerInterface {
             public function __construct(private array &$calledListeners) {}
 
@@ -144,14 +151,43 @@ public function authenticate(RequestEvent $event): void
             ->expects($this->once())
             ->method('getListeners')
             ->with($this->equalTo($request))
-            ->willReturn([[$callableListener, $firewallListener, $callableFirewallListener], null, null])
+            ->willReturn([[$firewallListener, $callableFirewallListener], null, null])
+        ;
+
+        $event = new RequestEvent($this->createMock(HttpKernelInterface::class), $request, HttpKernelInterface::MAIN_REQUEST);
+
+        $firewall = new Firewall($map, $this->createMock(EventDispatcherInterface::class));
+        $firewall->onKernelRequest($event);
+
+        $this->assertSame(['firewallListener', 'callableFirewallListener'], $calledListeners);
+    }
+
+    /**
+     * @group legacy
+     */
+    public function testCallableListenersAreCalled()
+    {
+        $this->expectUserDeprecationMessage('Since symfony/security-http 7.4: Using a callable as firewall listener is deprecated, extend "Symfony\Component\Security\Http\Firewall\AbstractListener" or implement "Symfony\Component\Security\Http\Firewall\FirewallListenerInterface" instead.');
+
+        $calledListeners = [];
+
+        $callableListener = static function() use(&$calledListeners) { $calledListeners[] = 'callableListener'; };
+
+        $request = $this->createMock(Request::class);
+
+        $map = $this->createMock(FirewallMapInterface::class);
+        $map
+            ->expects($this->once())
+            ->method('getListeners')
+            ->with($this->equalTo($request))
+            ->willReturn([[$callableListener], null, null])
         ;
 
         $event = new RequestEvent($this->createMock(HttpKernelInterface::class), $request, HttpKernelInterface::MAIN_REQUEST);
 
         $firewall = new Firewall($map, $this->createMock(EventDispatcherInterface::class));
         $firewall->onKernelRequest($event);
 
-        $this->assertSame(['callableListener', 'firewallListener', 'callableFirewallListener'], $calledListeners);
+        $this->assertSame(['callableListener'], $calledListeners);
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@`
`12`	`12`	`namespace Symfony\Bundle\SecurityBundle\Security;`
`13`	`13`
`14`	`14`	`use Symfony\Component\Security\Http\Firewall\ExceptionListener;`
	`15`	`+use Symfony\Component\Security\Http\Firewall\FirewallListenerInterface;`
`15`	`16`	`use Symfony\Component\Security\Http\Firewall\LogoutListener;`
`16`	`17`
`17`	`18`	`/**`
`@@ -39,7 +40,7 @@ public function getConfig(): ?FirewallConfig`
`39`	`40`	`}`
`40`	`41`
`41`	`42`	`/**`
`42`		`- * @return iterable<mixed, callable>`
	`43`	`+ * @return iterable<mixed, FirewallListenerInterface\|callable>`
`43`	`44`	`*/`
`44`	`45`	`public function getListeners(): iterable`
`45`	`46`	`{`
Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@`
`16`	`16`	`use Symfony\Component\HttpKernel\Event\FinishRequestEvent;`
`17`	`17`	`use Symfony\Component\HttpKernel\Event\RequestEvent;`
`18`	`18`	`use Symfony\Component\HttpKernel\KernelEvents;`
	`19`	`+use Symfony\Component\Security\Http\Firewall\AbstractListener;`
`19`	`20`	`use Symfony\Component\Security\Http\Firewall\ExceptionListener;`
`20`	`21`	`use Symfony\Component\Security\Http\Firewall\FirewallListenerInterface;`
`21`	`22`	`use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;`
`@@ -123,6 +124,8 @@ protected function callListeners(RequestEvent $event, iterable $listeners)`
`123`	`124`	`{`
`124`	`125`	`foreach ($listeners as $listener) {`
`125`	`126`	`if (!$listener instanceof FirewallListenerInterface) {`
	`127`	`+ trigger_deprecation('symfony/security-http', '7.4', 'Using a callable as firewall listener is deprecated, extend "%s" or implement "%s" instead.', AbstractListener::class, FirewallListenerInterface::class);`
	`128`	`+`
`126`	`129`	`$listener($event);`
`127`	`130`	`} elseif (false !== $listener->supports($event->getRequest())) {`
`128`	`131`	`$listener->authenticate($event);`
`@@ -134,8 +137,8 @@ protected function callListeners(RequestEvent $event, iterable $listeners)`
`134`	`137`	`}`
`135`	`138`	`}`
`136`	`139`
`137`		`- private function getListenerPriority(object $logoutListener): int`
	`140`	`+ private function getListenerPriority(object $listener): int`
`138`	`141`	`{`
`139`		`- return $logoutListener instanceof FirewallListenerInterface ? $logoutListener->getPriority() : 0;`
	`142`	`+ return $listener instanceof FirewallListenerInterface ? $listener->getPriority() : 0;`
`140`	`143`	`}`
`141`	`144`	`}`