Symfony2中的安全性：定制用户提供程序如何管理验证密码？

Question

I'm following the Symfony cookbook on creating a custom user provider but i have no idea how to validate the user password. Is this a task of the User Provider? Or this should happen elseware? How do i make sure the password he submitted via form equals the one in the database?

Answer 1

The user provider's not the one that handles the authentication. That's the task of the authentication provider.

Take a look at the neighbouring article How to create a custom Authentication Provider to get some ideas.

You could also take a look at Symfony\\Component\\Security\\Core\\Authentication\\Provider\\DaoAuthenticationProvider. See how its constructor accepts an instance of the userProvider and then uses it in retrieveUser() to get the user's data from the DB? Also, in UserAuthenticationProvider abstact class, which the DaoAuthenticationProvider, this data is passed to checkAuthentication() method (implemented by DaoAuthenticationProvider). There it uses the encoder associated with the User class to first encode the password of the UserInterface instance retrieved from the UsernamePasswordToken, then compare it to the already encoded version retrieved from the database.

EDIT: regarding your comment: I've done something similar to this not so long ago (only I used a standard form login with a VERY nonstandard authentication manager (: ), but unfortunately I don't quite remember the implementation. What I remember is that I had to read a lot of Symfony2 source code... You could try starting with the implementation of your custom AuthenticationProvider. You could try to base it on the UserAuthenticationProvider abstract class and use DaoAuthenticationProvider as a sort of a reference... that is, you could implement retrieveUser() in such a way that it uses your user provider to retrieve the relevant data, then also implement the checkAuthentication() method in such a way that it makes use of the retrieved user's data. Then, if your user's credentials are encoded in some way, i think you'll need to specify an appropriate encoder in the secruty.encoders config for your custom user class. Oh, and don't forget about the authentication provider factory and cu stom security tokens.

I'm really sorry I some information that I provided is incorrect. It's just that I don't have my implementation in front of me right now (and, to be absolutely frank, I'm too lazy to go diggin though Symfony 2 code again right now).

ANOTHER EDIT : concerning the configuration part. Yet again, I'm not sure if I remember correctly, but I THINK that you definitely need to specify your custom auth provider's factory in the config. It will then give you the ability to include the key (that you specified in the factory's getKey() method) in your firewall's config, and this will enable your custom auth provider for this firewall.