为什么Symfony不使用表单来处理安全组件登录？

Question

From document https://symfony.com/doc/current/security/form_login_setup.html that describe how to setup a login form that work with Symfony Security component, I am surprised to not see the use of Symfony Form component.

They render the form in pure HTML, and the form is handled by some magic, by the security component somewhere (and break the concept of Controller that should handle the HTTP request).

Is there a particular reason to not use a Form type here? (and also a controller).

Answer 1

Symfony security does not use forms as forms works with submitted data and most of the authentication methods is done using the HTTP Headers which a form does not have access.

Security component has 2 roles: Authentication and authorization. You are mentioning authentication in this question.

Authentication it is way more complex than just handling a form in a controller.

Only one of the authentication methods implies a form submit in symfony: UsernamePasswordToken and even that can be submitted as a http basic/digest authentication via a header.

Other ways of login/authentication/authorization is via the remember me token, sessions, oauth tokens, Json Web Tokens, SAML, etc.

The more flexible way is to just have a authentication system based in events, although this adds quite complexity to the system that has been addressed with Symfony Guard in Symfony 3.

https://symfony.com/doc/2.0/book/security.html

Answer 2

I finally wrote my own GuardAuthenticator that handle Symfony form (extends Symfony\\Component\\Security\\Guard\\Authenticator\\AbstractFormLoginAuthenticator):

This work like a charm! and the design team can use form easily.