Using login handlers or even logout handlers, we can do a number of last minute things before the user is redirected to where they need to go. Being able to intercept the redirect at the last minute and make the user get redirected elsewhere is relatively simple.
Firstly though, i notice a lot of people now who are using Symfony 2 are cheating somewhat by using an EventListener and registering it with the security.interactive_login event listener. This is not the best way to go about this, namely because this event listener is not intended for this purpose. Sometimes event listeners are not the best way to go because they were defined for a specific purpose other than your intention and using them may have undesirable side effects you may not notice right away. Using handlers however allows a little more flexibility in that in all likelihood regardless of changes to Symfony in future revisions, they should still work and were designed specifically for the purposes we will need them for.
Firstly, we need to define our services, personally, i am a fan of YAML, so i define my services as such but feel free to do the same in XML:
|
|
parameters: ccdn_user_security.component.authentication.handler.login_failure_handler.class: CCDNUser\SecurityBundle\Component\Authentication\Handler\LoginFailureHandler ccdn_user_security.component.authentication.handler.logout_success_handler.class: CCDNUser\SecurityBundle\Component\Authentication\Handler\LogoutSuccessHandler services: ccdn_user_security.component.authentication.handler.login_failure_handler: class: %ccdn_user_security.component.authentication.handler.login_failure_handler.class% arguments: [@service_container, @router, @security.context] tags: - { name: 'monolog.logger', channel: 'security' } ccdn_user_security.component.authentication.handler.logout_success_handler: class: %ccdn_user_security.component.authentication.handler.logout_success_handler.class% arguments: [@service_container, @router] tags: - { name: 'monolog.logger', channel: 'security' } |
Now our services are defined, we need to define the handlers themselves. I like to create a directory named Services in my user bundle for this purpose, then create 2 files. The first file is LoginSuccessHandler, the second is LogoutSuccessHandler. Our handlers will implement the appropriate interface for either our login or logout handlers, which require usually only one method in these instances.
Here is what the login handler should look like:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 |
<?php namespace CCDNUser\SecurityBundle\Component\Authentication\Handler; use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface; use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; use Symfony\Component\Security\Core\SecurityContext; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\RedirectResponse; use Symfony\Component\Routing\Router; class LoginSuccessHandler implements AuthenticationSuccessHandlerInterface { protected $router; protected $security; public function __construct(Router $router, SecurityContext $security) { $this->router = $router; $this->security = $security; } public function onAuthenticationSuccess(Request $request, TokenInterface $token) { if ($this->security->isGranted('ROLE_SUPER_ADMIN')) { $response = new RedirectResponse($this->router->generate('category_index')); } elseif ($this->security->isGranted('ROLE_ADMIN')) { $response = new RedirectResponse($this->router->generate('category_index')); } elseif ($this->security->isGranted('ROLE_USER')) { // redirect the user to where they were before the login process begun. $referer_url = $request->headers->get('referer'); $response = new RedirectResponse($referer_url); } return $response; } } |
Note my namespace is CCDNUser, and my bundle is called SecurityBundle, so our service is named ccdn_user_security.component.authentication.handler.login_failure_handler. Change this to your own namespace and bundle name accordingly but ensure to use the same format as used here, underscore your namespace and append the bundle name with an additional underscore without the term ‘bundle’ in it. Failure to get this part correct will mean your namespace will not be loaded and you will get problems later on in this tutorial as exceptions will be thrown regarding the service not existing.
Here is what the logout handler should look like:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
<?php namespace CCDNUser\SecurityBundle\Component\Authentication\Handler; use Symfony\Component\Security\Http\Logout\LogoutSuccessHandlerInterface; use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\RedirectResponse; use Symfony\Bundle\FrameworkBundle\Routing\Router; class LogoutSuccessHandler implements LogoutSuccessHandlerInterface { protected $router; public function __construct(Router $router) { $this->router = $router; } public function onLogoutSuccess(Request $request) { // redirect the user to where they were before the login process begun. $referer_url = $request->headers->get('referer'); $response = new RedirectResponse($referer_url); return $response; } } |
Our service definitions inject some of the classes we need to make use of our handlers, namely a Router object and the SecurityContext object, we can store these in member variables for later use. Then we wait for the onAuthenticationSuccess method to be called in our LoginSuccessHandler, once this has happened, we have a request and token interface object at our disposal. Using the security context object we can determine what role they have (i.e; ROLE_USER, ROLE_ADMIN etc) and appropriately redirect them as needed.
I like to redirect members of ROLE_USER role to where they came from prior to logging in. This is achieved by passing the ‘referer’ header into the redirect response object we return. I took this step both in the login and logout handlers.
Last thing we now need to do, is inform our security config that it needs to use these handlers by doing the following:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
# App/config/security.yml security: providers: fos_userbundle: id: fos_user.user_manager firewalls: main: #pattern: .* form_login: provider: fos_userbundle login_path: /login use_forward: false check_path: /login_check success_handler: ccdn_user_security.component.authentication.handler.login_success_handler failure_path: null logout: path: /logout target: / success_handler: ccdn_user_security.component.authentication.handler.logout_success_handler anonymous: true |
In this instance i am using FOSUserBundle and extending it in my own UserBundle, though this code is contained in the SecurityBundle. Which is probably the best way to do this. As the handlers used here work in any bundle because they plugin to Symfony2 core and implement their login handlers, and should not be dependant on any user bundle.
You can see a complete implementation of this in my security bundle found on github
Once this is implemented your on your way to a better login/logout system. Enjoy.