Php Symfony2-抛出AccessDeniedHttpException don';t工作编辑:安全性
我想删除当某个地方被抛出Php Symfony2-抛出AccessDeniedHttpException don';t工作编辑:安全性,php,symfony,security,authentication,symfony-components,Php,Symfony,Security,Authentication,Symfony Components,我想删除当某个地方被抛出AccesDeniedException时重定向的不必要影响。我的意思是重定向到“登录”页面,如果用户未经验证 我创建了kernel.exceptionlistener class ApiAccessDeniedListener implements EventSubscriberInterface { private $format; public function __construct($format = 'json') {
AccesDeniedException
时重定向的不必要影响。我的意思是重定向到“登录”页面,如果用户未经验证
我创建了kernel.exception
listener
class ApiAccessDeniedListener implements EventSubscriberInterface
{
private $format;
public function __construct($format = 'json')
{
$this->format = $format;
}
public function onKernelException(GetResponseForExceptionEvent $event)
{
$exception = $event->getException();
// here some conditions
if($exception instanceof AccessDeniedException){
$exception = new AccessDeniedHttpException('You do not have the necessary permissions', $exception);
}
}
public static function getSubscribedEvents()
{
return array(
KernelEvents::EXCEPTION => array('onKernelException', 5),
);
}
}
此侦听器按正确的顺序正常工作,但防火墙始终将我重定向到登录页面。
即:
异常侦听器
如果任何侦听器抛出AuthenticationException,则
将安全区域添加到时提供的异常侦听器
防火墙映射将跳入
异常侦听器根据
创建时收到的参数。它可能会启动
身份验证程序,可能要求用户提供
再次验证凭据(仅在基于
“记住我”cookie),或将异常转换为
AccessDeniedHttpException,这将最终导致
“HTTP/1.1 403:拒绝访问”响应
我明白-如果我抛出AccessDeniedHttpException
我应该得到instant 403而不是重定向,
我说得对吗
第二,我挖了symfony,也有同样的把戏?我想
private function handleAccessDeniedException(GetResponseForExceptionEvent $event, AccessDeniedException $exception)
{
$event->setException(new AccessDeniedHttpException($exception->getMessage(), $exception));
//...
}
此外,symfony调试器在验证后显示2个异常。(理应如此):
第一个AccessDeniedException
和第二个AccessDeniedHttpException
我如何解决我的问题?如何抛出即时403错误
编辑 我发现问题出在哪里了。防火墙
ExceptionListener
使用循环检查所有以前的异常:
public function onKernelException(GetResponseForExceptionEvent $event)
{
$exception = $event->getException();
do {
if ($exception instanceof AuthenticationException) {
return $this->handleAuthenticationException($event, $exception);
} elseif ($exception instanceof AccessDeniedException) {
return $this->handleAccessDeniedException($event, $exception);
} elseif ($exception instanceof LogoutException) {
return $this->handleLogoutException($exception);
}
} while (null !== $exception = $exception->getPrevious());
}
我可以将我的侦听器更改为:
public function onKernelException(GetResponseForExceptionEvent $event)
{
$exception = $event->getException();
// here some conditions
if($exception instanceof AccessDeniedException){
//old version
//$exception = new AccessDeniedHttpException('You do not have the necessary permissions', $exception);
$exception = new AccessDeniedHttpException('You do not have the necessary permissions', $exception->getPrevious());
}
}
新问题是-它会导致任何安全问题吗?
我认为这是个好办法
public function onKernelException(GetResponseForExceptionEvent $event)
{
$exception = $event->getException();
// here some conditions
if($exception instanceof AccessDeniedException){
//old version
//$exception = new AccessDeniedHttpException('You do not have the necessary permissions', $exception);
$exception = new AccessDeniedHttpException('You do not have the necessary permissions', $exception->getPrevious());
}
}