[Security] Deprecate callable firewall listeners

MatTheCat · MatTheCat · commit 55c3cfbc2eb8 · 2025-06-05T10:40:00.000+02:00
diff --git a/UPGRADE-7.4.md b/UPGRADE-7.4.md
@@ -0,0 +1,14 @@
+UPGRADE FROM 7.3 to 7.4
+=======================
+
+Symfony 7.4 is a minor release. According to the Symfony release process, there should be no significant
+backward compatibility breaks. Minor backward compatibility breaks are prefixed in this document with
+`[BC BREAK]`, make sure your code is compatible with these entries before upgrading.
+Read more about this in the [Symfony documentation](https://symfony.com/doc/7.4/setup/upgrade_minor.html).
+
+If you're upgrading from a version below 7.3, follow the [7.3 upgrade guide](UPGRADE-7.3.md) first.
+
+Security
+--------
+
+ * Deprecate callable firewall listeners, extend `AbstractListener` instead
diff --git a/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md b/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
@@ -1,6 +1,11 @@
 CHANGELOG
 =========
 
+7.4
+---
+
+ * Deprecate callable firewall listeners, extend `AbstractListener` instead
+
 7.3
 ---
 
diff --git a/src/Symfony/Bundle/SecurityBundle/Security/LazyFirewallContext.php b/src/Symfony/Bundle/SecurityBundle/Security/LazyFirewallContext.php
@@ -11,6 +11,7 @@
 
 namespace Symfony\Bundle\SecurityBundle\Security;
 
+use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Event\RequestEvent;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
 use Symfony\Component\Security\Http\Event\LazyResponseEvent;
@@ -23,7 +24,7 @@
  *
  * @author Nicolas Grekas <p@tchwork.com>
  */
-class LazyFirewallContext extends FirewallContext
+class LazyFirewallContext extends FirewallContext implements FirewallListenerInterface
 {
     public function __construct(
         iterable $listeners,
@@ -40,7 +41,22 @@ public function getListeners(): iterable
         return [$this];
     }
 
-    public function __invoke(RequestEvent $event): void
+    public function supports(Request $request): ?bool
+    {
+        foreach (parent::getListeners() as $listener) {
+            if (!$listener instanceof FirewallListenerInterface) {
+                return true;
+            }
+
+            if (false !== $listener->supports($request)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    public function authenticate(RequestEvent $event): void
     {
         $listeners = [];
         $request = $event->getRequest();
@@ -75,4 +91,14 @@ public function __invoke(RequestEvent $event): void
             }
         });
     }
+
+    public static function getPriority(): int
+    {
+        return 0;
+    }
+
+    public function __invoke(RequestEvent $event): void
+    {
+        $this->authenticate($event);
+    }
 }
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DataCollector/SecurityDataCollectorTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DataCollector/SecurityDataCollectorTest.php
@@ -32,6 +32,7 @@
 use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
 use Symfony\Component\Security\Core\Role\RoleHierarchy;
 use Symfony\Component\Security\Core\User\InMemoryUser;
+use Symfony\Component\Security\Http\Firewall\FirewallListenerInterface;
 use Symfony\Component\Security\Http\FirewallMapInterface;
 use Symfony\Component\Security\Http\Logout\LogoutUrlGenerator;
 use Symfony\Component\VarDumper\Caster\ClassStub;
@@ -193,8 +194,24 @@ public function testGetListeners()
         $request = new Request();
         $event = new RequestEvent($this->createMock(HttpKernelInterface::class), $request, HttpKernelInterface::MAIN_REQUEST);
         $event->setResponse($response = new Response());
-        $listener = function ($e) use ($event, &$listenerCalled) {
-            $listenerCalled += $e === $event;
+        $listener = new class implements FirewallListenerInterface
+        {
+            public int $callCount = 0;
+
+            public function supports(Request $request): ?bool
+            {
+                return true;
+            }
+
+            public function authenticate(RequestEvent $event): void
+            {
+                ++$this->callCount;
+            }
+
+            public static function getPriority(): int
+            {
+                return 0;
+            }
         };
         $firewallMap = $this
             ->getMockBuilder(FirewallMap::class)
@@ -217,9 +234,9 @@ public function testGetListeners()
         $collector = new SecurityDataCollector(null, null, null, null, $firewallMap, $firewall, true);
         $collector->collect($request, $response);
 
-        $this->assertNotEmpty($collected = $collector->getListeners()[0]);
+        $this->assertCount(1, $collector->getListeners());
         $collector->lateCollect();
-        $this->assertSame(1, $listenerCalled);
+        $this->assertSame(1, $listener->callCount);
     }
 
     public function testCollectCollectsDecisionLogWhenStrategyIsAffirmative()
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/Debug/TraceableFirewallListenerTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/Debug/TraceableFirewallListenerTest.php
@@ -30,6 +30,7 @@
 use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
 use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
 use Symfony\Component\Security\Http\Firewall\AuthenticatorManagerListener;
+use Symfony\Component\Security\Http\Firewall\FirewallListenerInterface;
 use Symfony\Component\Security\Http\Logout\LogoutUrlGenerator;
 
 /**
@@ -41,9 +42,25 @@ public function testOnKernelRequestRecordsListeners()
     {
         $request = new Request();
         $event = new RequestEvent($this->createMock(HttpKernelInterface::class), $request, HttpKernelInterface::MAIN_REQUEST);
-        $event->setResponse($response = new Response());
-        $listener = function ($e) use ($event, &$listenerCalled) {
-            $listenerCalled += $e === $event;
+        $event->setResponse(new Response());
+        $listener = new class implements FirewallListenerInterface
+        {
+            public int $callCount = 0;
+
+            public function supports(Request $request): ?bool
+            {
+                return true;
+            }
+
+            public function authenticate(RequestEvent $event): void
+            {
+                ++$this->callCount;
+            }
+
+            public static function getPriority(): int
+            {
+                return 0;
+            }
         };
         $firewallMap = $this->createMock(FirewallMap::class);
         $firewallMap
diff --git a/src/Symfony/Component/Security/Http/Firewall.php b/src/Symfony/Component/Security/Http/Firewall.php
@@ -16,6 +16,7 @@
 use Symfony\Component\HttpKernel\Event\FinishRequestEvent;
 use Symfony\Component\HttpKernel\Event\RequestEvent;
 use Symfony\Component\HttpKernel\KernelEvents;
+use Symfony\Component\Security\Http\Firewall\AbstractListener;
 use Symfony\Component\Security\Http\Firewall\ExceptionListener;
 use Symfony\Component\Security\Http\Firewall\FirewallListenerInterface;
 use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
@@ -122,6 +123,10 @@ public static function getSubscribedEvents()
     protected function callListeners(RequestEvent $event, iterable $listeners)
     {
         foreach ($listeners as $listener) {
+            if (!$listener instanceof FirewallListenerInterface) {
+                trigger_deprecation('symfony/security-http', '7.4', 'Using a callable as firewall listener is deprecated, extend "%s" instead.', AbstractListener::class);
+            }
+
             $listener($event);
 
             if ($event->hasResponse()) {
@@ -130,8 +135,8 @@ protected function callListeners(RequestEvent $event, iterable $listeners)
         }
     }
 
-    private function getListenerPriority(object $logoutListener): int
+    private function getListenerPriority(object $listener): int
     {
-        return $logoutListener instanceof FirewallListenerInterface ? $logoutListener->getPriority() : 0;
+        return $listener instanceof FirewallListenerInterface ? $listener->getPriority() : 0;
     }
 }
diff --git a/src/Symfony/Component/Security/Http/Tests/FirewallTest.php b/src/Symfony/Component/Security/Http/Tests/FirewallTest.php
@@ -18,6 +18,7 @@
 use Symfony\Component\HttpKernel\Event\RequestEvent;
 use Symfony\Component\HttpKernel\HttpKernelInterface;
 use Symfony\Component\Security\Http\Firewall;
+use Symfony\Component\Security\Http\Firewall\AbstractListener;
 use Symfony\Component\Security\Http\Firewall\ExceptionListener;
 use Symfony\Component\Security\Http\FirewallMapInterface;
 
@@ -52,21 +53,31 @@ public function testOnKernelRequestRegistersExceptionListener()
 
     public function testOnKernelRequestStopsWhenThereIsAResponse()
     {
-        $called = [];
-
-        $first = function () use (&$called) {
-            $called[] = 1;
-        };
-
-        $second = function () use (&$called) {
-            $called[] = 2;
+        $listener = new class extends AbstractListener
+        {
+            public int $callCount = 0;
+
+            public function supports(Request $request): ?bool
+            {
+                return true;
+            }
+
+            public function authenticate(RequestEvent $event): void
+            {
+                ++$this->callCount;
+            }
+
+            public static function getPriority(): int
+            {
+                return 0;
+            }
         };
 
         $map = $this->createMock(FirewallMapInterface::class);
         $map
             ->expects($this->once())
             ->method('getListeners')
-            ->willReturn([[$first, $second], null, null])
+            ->willReturn([[$listener, $listener], null, null])
         ;
 
         $event = new RequestEvent($this->createMock(HttpKernelInterface::class), new Request(), HttpKernelInterface::MAIN_REQUEST);
@@ -75,7 +86,7 @@ public function testOnKernelRequestStopsWhenThereIsAResponse()
         $firewall = new Firewall($map, $this->createMock(EventDispatcherInterface::class));
         $firewall->onKernelRequest($event);
 
-        $this->assertSame([1], $called);
+        $this->assertSame(1, $listener->callCount);
     }
 
     public function testOnKernelRequestWithSubRequest()

Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@`
`16`	`16`	`use Symfony\Component\HttpKernel\Event\FinishRequestEvent;`
`17`	`17`	`use Symfony\Component\HttpKernel\Event\RequestEvent;`
`18`	`18`	`use Symfony\Component\HttpKernel\KernelEvents;`
	`19`	`+use Symfony\Component\Security\Http\Firewall\AbstractListener;`
`19`	`20`	`use Symfony\Component\Security\Http\Firewall\ExceptionListener;`
`20`	`21`	`use Symfony\Component\Security\Http\Firewall\FirewallListenerInterface;`
`21`	`22`	`use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;`
`@@ -122,6 +123,10 @@ public static function getSubscribedEvents()`
`122`	`123`	`protected function callListeners(RequestEvent $event, iterable $listeners)`
`123`	`124`	`{`
`124`	`125`	`foreach ($listeners as $listener) {`
	`126`	`+ if (!$listener instanceof FirewallListenerInterface) {`
	`127`	`+ trigger_deprecation('symfony/security-http', '7.4', 'Using a callable as firewall listener is deprecated, extend "%s" instead.', AbstractListener::class);`
	`128`	`+ }`
	`129`	`+`
`125`	`130`	`$listener($event);`
`126`	`131`
`127`	`132`	`if ($event->hasResponse()) {`
`@@ -130,8 +135,8 @@ protected function callListeners(RequestEvent $event, iterable $listeners)`
`130`	`135`	`}`
`131`	`136`	`}`
`132`	`137`
`133`		`- private function getListenerPriority(object $logoutListener): int`
	`138`	`+ private function getListenerPriority(object $listener): int`
`134`	`139`	`{`
`135`		`- return $logoutListener instanceof FirewallListenerInterface ? $logoutListener->getPriority() : 0;`
	`140`	`+ return $listener instanceof FirewallListenerInterface ? $listener->getPriority() : 0;`
`136`	`141`	`}`
`137`	`142`	`}`