class AuthenticationSubscriber
Authentication subscriber.
Trigger authentication during the request.
Hierarchy
- class \Drupal\Core\EventSubscriber\AuthenticationSubscriber implements \Symfony\Component\EventDispatcher\EventSubscriberInterface
Expanded class hierarchy of AuthenticationSubscriber
1 string reference to 'AuthenticationSubscriber'
- core.services.yml in core/core.services.yml 
- core/core.services.yml
1 service uses AuthenticationSubscriber
File
- 
              core/lib/ Drupal/ Core/ EventSubscriber/ AuthenticationSubscriber.php, line 20 
Namespace
Drupal\Core\EventSubscriberView source
class AuthenticationSubscriber implements EventSubscriberInterface {
  
  /**
   * Authentication provider.
   *
   * @var \Drupal\Core\Authentication\AuthenticationProviderInterface
   */
  protected $authenticationProvider;
  
  /**
   * Authentication provider filter.
   *
   * @var \Drupal\Core\Authentication\AuthenticationProviderFilterInterface|null
   */
  protected $filter;
  
  /**
   * Authentication challenge provider.
   *
   * @var \Drupal\Core\Authentication\AuthenticationProviderChallengeInterface|null
   */
  protected $challengeProvider;
  
  /**
   * Account proxy.
   *
   * @var \Drupal\Core\Session\AccountProxyInterface
   */
  protected $accountProxy;
  
  /**
   * Constructs an authentication subscriber.
   *
   * @param \Drupal\Core\Authentication\AuthenticationProviderInterface $authentication_provider
   *   An authentication provider.
   * @param \Drupal\Core\Session\AccountProxyInterface $account_proxy
   *   Account proxy.
   */
  public function __construct(AuthenticationProviderInterface $authentication_provider, AccountProxyInterface $account_proxy) {
    $this->authenticationProvider = $authentication_provider;
    $this->filter = $authentication_provider instanceof AuthenticationProviderFilterInterface ? $authentication_provider : NULL;
    $this->challengeProvider = $authentication_provider instanceof AuthenticationProviderChallengeInterface ? $authentication_provider : NULL;
    $this->accountProxy = $account_proxy;
  }
  
  /**
   * Authenticates user on request.
   *
   * @param \Symfony\Component\HttpKernel\Event\RequestEvent $event
   *   The request event.
   *
   * @see \Drupal\Core\Authentication\AuthenticationProviderInterface::authenticate()
   */
  public function onKernelRequestAuthenticate(RequestEvent $event) {
    if ($event->isMainRequest()) {
      $request = $event->getRequest();
      if ($this->authenticationProvider
        ->applies($request)) {
        $account = $this->authenticationProvider
          ->authenticate($request);
        if ($account) {
          $this->accountProxy
            ->setAccount($account);
          return;
        }
      }
    }
  }
  
  /**
   * Denies access if authentication provider is not allowed on this route.
   *
   * @param \Symfony\Component\HttpKernel\Event\RequestEvent $event
   *   The request event.
   */
  public function onKernelRequestFilterProvider(RequestEvent $event) {
    if (isset($this->filter) && $event->isMainRequest()) {
      $request = $event->getRequest();
      if ($this->authenticationProvider
        ->applies($request) && !$this->filter
        ->appliesToRoutedRequest($request, TRUE)) {
        throw new AccessDeniedHttpException('The used authentication method is not allowed on this route.');
      }
    }
  }
  
  /**
   * Respond with a challenge on access denied exceptions if appropriate.
   *
   * On a 403 (access denied), if there are no credentials on the request, some
   * authentication methods (e.g. basic auth) require that a challenge is sent
   * to the client.
   *
   * @param \Symfony\Component\HttpKernel\Event\ExceptionEvent $event
   *   The exception event.
   */
  public function onExceptionSendChallenge(ExceptionEvent $event) {
    if (isset($this->challengeProvider) && $event->isMainRequest()) {
      $request = $event->getRequest();
      $exception = $event->getThrowable();
      if ($exception instanceof AccessDeniedHttpException && !$this->authenticationProvider
        ->applies($request) && (!isset($this->filter) || $this->filter
        ->appliesToRoutedRequest($request, FALSE))) {
        $challenge_exception = $this->challengeProvider
          ->challengeException($request, $exception);
        if ($challenge_exception) {
          $event->setThrowable($challenge_exception);
        }
      }
    }
  }
  
  /**
   * Detect disallowed authentication methods on access denied exceptions.
   *
   * @param \Symfony\Component\HttpKernel\Event\ExceptionEvent $event
   *   The event.
   */
  public function onExceptionAccessDenied(ExceptionEvent $event) {
    if (isset($this->filter) && $event->isMainRequest()) {
      $request = $event->getRequest();
      $exception = $event->getThrowable();
      if ($exception instanceof AccessDeniedHttpException && $this->authenticationProvider
        ->applies($request) && !$this->filter
        ->appliesToRoutedRequest($request, TRUE)) {
        $event->setThrowable(new AccessDeniedHttpException('The used authentication method is not allowed on this route.', $exception));
      }
    }
  }
  
  /**
   * {@inheritdoc}
   */
  public static function getSubscribedEvents() : array {
    // The priority for authentication must be higher than the highest event
    // subscriber accessing the current user. Especially it must be higher than
    // LanguageRequestSubscriber as LanguageManager accesses the current user if
    // the language module is enabled.
    $events[KernelEvents::REQUEST][] = [
      'onKernelRequestAuthenticate',
      300,
    ];
    // Access check must be performed after routing.
    $events[KernelEvents::REQUEST][] = [
      'onKernelRequestFilterProvider',
      31,
    ];
    $events[KernelEvents::EXCEPTION][] = [
      'onExceptionSendChallenge',
      75,
    ];
    $events[KernelEvents::EXCEPTION][] = [
      'onExceptionAccessDenied',
      80,
    ];
    return $events;
  }
}Members
| Title Sort descending | Modifiers | Object type | Summary | 
|---|---|---|---|
| AuthenticationSubscriber::$accountProxy | protected | property | Account proxy. | 
| AuthenticationSubscriber::$authenticationProvider | protected | property | Authentication provider. | 
| AuthenticationSubscriber::$challengeProvider | protected | property | Authentication challenge provider. | 
| AuthenticationSubscriber::$filter | protected | property | Authentication provider filter. | 
| AuthenticationSubscriber::getSubscribedEvents | public static | function | |
| AuthenticationSubscriber::onExceptionAccessDenied | public | function | Detect disallowed authentication methods on access denied exceptions. | 
| AuthenticationSubscriber::onExceptionSendChallenge | public | function | Respond with a challenge on access denied exceptions if appropriate. | 
| AuthenticationSubscriber::onKernelRequestAuthenticate | public | function | Authenticates user on request. | 
| AuthenticationSubscriber::onKernelRequestFilterProvider | public | function | Denies access if authentication provider is not allowed on this route. | 
| AuthenticationSubscriber::__construct | public | function | Constructs an authentication subscriber. | 
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.
