如何在控制器中访问防火墙配置？

Question

I'm trying to get the firewall information (define in security.yml ) in one of my controller.

The part I need is the switch_user configuration :

switch_user: { role: ROLE_ADMIN, parameter: _abagnale }

The goal is to create a link in admin section which allows administrators to switch user in one click.

First test

I have tried to define this values as parameters.

security:
     # ...
     switch_user: { role: %switch_user_role%, parameter: %switch_user_parameter% }

parameters:
   switch_user_role:      ROLE_ADMIN
   switch_user_parameter: _abagnale

And now in controller, I can get it with $this->container->parameters['switch_user_role'] .

This solution is not sufficient, because if I don't want to override default symfony parameters, switch_user_role and switch_user_parameter will not be defined.

Second test

An other way I have tried is to retrieve an object instance that represent the current firewall.

I have discovered I can retrieve firewall name in controller with $this->container->get('security.context')->getToken()->getProviderKey()

But I'm stuck here because I can't find what I have to do with this value.

So what is the best way to access firewall configuration in controller ?

Answer 1

May be simple read config file security.yml?

UPD :Ok.

I think use DI is simple way for to complete your task. Sorry, my code for Symfony 2.1. I can't check how it work in 2.3, but i think it don't have global changes for this logic.

All authentication events are processed by some listeners. As Example, Symfony\\Component\\Security\\Http\\Firewall namespace. For switch_user event it's Symfony\\Component\\Security\\Http\\Firewall\\SwitchUserListener . Extend it and be happy.

Code:

Given security.yml :

firewalls:
    secured_area_2:
        switch_user:
            provider:             ~
            parameter:            _switch_useraaaaa
            role:                 ROLE_ALLOWED_TO_SWITCH

I create my listener.

<?php

namespace Nonlux\TestBundle\Symfony;

use Symfony\Component\Security\Http\Firewall\SwitchUserListener as BaseListener;
use Symfony\Component\Security\Core\SecurityContextInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface;
use Symfony\Component\Security\Core\User\UserCheckerInterface;
use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
use Psr\Log\LoggerInterface;

class SwitchUserListener extends BaseListener
{
    private $usernameParameter;
    private $role;

    public function __construct(SecurityContextInterface $securityContext, UserProviderInterface $provider, UserCheckerInterface $userChecker, $providerKey, AccessDecisionManagerInterface $accessDecisionManager, LoggerInterface $logger = null, $usernameParameter = '_switch_user', $role = 'ROLE_ALLOWED_TO_SWITCH', EventDispatcherInterface $dispatcher = null)
    {
        $this->usernameParameter = $usernameParameter;
        $this->role = $role;
        parent::__construct($securityContext, $provider,$userChecker, $providerKey, $accessDecisionManager, $logger, $usernameParameter, $role, $dispatcher);

    }

    public function getUsernameParameter(){
        return $this->usernameParameter;
    }

    public function getRole(){
        return $this->role;
    }
}

I change standart listener with my.

# app/config/config.yml
imports:
...
    - { resource: services.xml }    
...

Important! By default security authentication listeners have public = "false" parameter. But we don't do it and than we can see child listeners in container. If you don't like to do it. you can create service that can store needed data, fill it from your listener and do your magic.

<!-- app/config/services.xml  -->
<?xml version="1.0" ?>
<container xmlns="http://symfony.com/schema/dic/services"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">  
    <parameters>
        <parameter key="nonlux.security.authentication.switchuser_listener.class">Nonlux\TestBundle\Symfony\SwitchUserListener</parameter>
    </parameters>
    <services>
        <service id="security.authentication.switchuser_listener" class="%nonlux.security.authentication.switchuser_listener.class%" abstract="true">
            <tag name="monolog.logger" channel="security" />
            <argument type="service" id="security.context" />
            <argument /> <!-- User Provider -->
            <argument type="service" id="security.user_checker" />
            <argument /> <!--  Provider Key -->
            <argument type="service" id="security.access.decision_manager" />
            <argument type="service" id="logger" on-invalid="null" />
            <argument>_switch_user</argument>
            <argument>ROLE_ALLOWED_TO_SWITCH</argument>
            <argument type="service" id="event_dispatcher" on-invalid="null"/>
        </service>
    </services>
</container>

Use it in controler ( use service 'security.authentication.switchuser_listener.you_firewall_name')

<?php

namespace Nonlux\TestBundle\Controller;

use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Sensio\Bundle\FrameworkExtraBundle\Configuration\Route;
use Sensio\Bundle\FrameworkExtraBundle\Configuration\Template;

class DefaultController extends Controller
{

   /**
     * @Route("/switch", name="switch")
     * @Template()
     */
    public function switchAction()
    {
        $name=$this->get("security.authentication.switchuser_listener.secured_area_2")->getUsernameParameter();
        return array('name' => $name);
    }
}

See magic in page and be happy.

Hello  _switch_useraaaaa