class AuthenticationSubscriber

Same name and namespace in other branches
  1. 9 core/lib/Drupal/Core/EventSubscriber/AuthenticationSubscriber.php \Drupal\Core\EventSubscriber\AuthenticationSubscriber
  2. 8.9.x core/lib/Drupal/Core/EventSubscriber/AuthenticationSubscriber.php \Drupal\Core\EventSubscriber\AuthenticationSubscriber
  3. 10 core/lib/Drupal/Core/EventSubscriber/AuthenticationSubscriber.php \Drupal\Core\EventSubscriber\AuthenticationSubscriber

Authentication subscriber.

Trigger authentication during the request.

Hierarchy

  • class \Drupal\Core\EventSubscriber\AuthenticationSubscriber implements \Symfony\Component\EventDispatcher\EventSubscriberInterface

Expanded class hierarchy of AuthenticationSubscriber

File

core/lib/Drupal/Core/EventSubscriber/AuthenticationSubscriber.php, line 20

Namespace

Drupal\Core\EventSubscriber
View source 
class AuthenticationSubscriber implements EventSubscriberInterface {
    
    /**
     * Authentication provider.
     *
     * @var \Drupal\Core\Authentication\AuthenticationProviderInterface
     */
    protected $authenticationProvider;
    
    /**
     * Authentication provider filter.
     *
     * @var \Drupal\Core\Authentication\AuthenticationProviderFilterInterface|null
     */
    protected $filter;
    
    /**
     * Authentication challenge provider.
     *
     * @var \Drupal\Core\Authentication\AuthenticationProviderChallengeInterface|null
     */
    protected $challengeProvider;
    
    /**
     * Account proxy.
     *
     * @var \Drupal\Core\Session\AccountProxyInterface
     */
    protected $accountProxy;
    
    /**
     * Constructs an authentication subscriber.
     *
     * @param \Drupal\Core\Authentication\AuthenticationProviderInterface $authentication_provider
     *   An authentication provider.
     * @param \Drupal\Core\Session\AccountProxyInterface $account_proxy
     *   Account proxy.
     */
    public function __construct(AuthenticationProviderInterface $authentication_provider, AccountProxyInterface $account_proxy) {
        $this->authenticationProvider = $authentication_provider;
        $this->filter = $authentication_provider instanceof AuthenticationProviderFilterInterface ? $authentication_provider : NULL;
        $this->challengeProvider = $authentication_provider instanceof AuthenticationProviderChallengeInterface ? $authentication_provider : NULL;
        $this->accountProxy = $account_proxy;
    }
    
    /**
     * Authenticates user on request.
     *
     * @param \Symfony\Component\HttpKernel\Event\RequestEvent $event
     *   The request event.
     *
     * @see \Drupal\Core\Authentication\AuthenticationProviderInterface::authenticate()
     */
    public function onKernelRequestAuthenticate(RequestEvent $event) {
        if ($event->isMainRequest()) {
            $request = $event->getRequest();
            if ($this->authenticationProvider
                ->applies($request)) {
                $account = $this->authenticationProvider
                    ->authenticate($request);
                if ($account) {
                    $this->accountProxy
                        ->setAccount($account);
                    return;
                }
            }
        }
    }
    
    /**
     * Denies access if authentication provider is not allowed on this route.
     *
     * @param \Symfony\Component\HttpKernel\Event\RequestEvent $event
     *   The request event.
     */
    public function onKernelRequestFilterProvider(RequestEvent $event) {
        if (isset($this->filter) && $event->isMainRequest()) {
            $request = $event->getRequest();
            if ($this->authenticationProvider
                ->applies($request) && !$this->filter
                ->appliesToRoutedRequest($request, TRUE)) {
                throw new AccessDeniedHttpException('The used authentication method is not allowed on this route.');
            }
        }
    }
    
    /**
     * Respond with a challenge on access denied exceptions if appropriate.
     *
     * On a 403 (access denied), if there are no credentials on the request, some
     * authentication methods (e.g. basic auth) require that a challenge is sent
     * to the client.
     *
     * @param \Symfony\Component\HttpKernel\Event\ExceptionEvent $event
     *   The exception event.
     */
    public function onExceptionSendChallenge(ExceptionEvent $event) {
        if (isset($this->challengeProvider) && $event->isMainRequest()) {
            $request = $event->getRequest();
            $exception = $event->getThrowable();
            if ($exception instanceof AccessDeniedHttpException && !$this->authenticationProvider
                ->applies($request) && (!isset($this->filter) || $this->filter
                ->appliesToRoutedRequest($request, FALSE))) {
                $challenge_exception = $this->challengeProvider
                    ->challengeException($request, $exception);
                if ($challenge_exception) {
                    $event->setThrowable($challenge_exception);
                }
            }
        }
    }
    
    /**
     * Detect disallowed authentication methods on access denied exceptions.
     *
     * @param \Symfony\Component\HttpKernel\Event\ExceptionEvent $event
     *   The event.
     */
    public function onExceptionAccessDenied(ExceptionEvent $event) {
        if (isset($this->filter) && $event->isMainRequest()) {
            $request = $event->getRequest();
            $exception = $event->getThrowable();
            if ($exception instanceof AccessDeniedHttpException && $this->authenticationProvider
                ->applies($request) && !$this->filter
                ->appliesToRoutedRequest($request, TRUE)) {
                $event->setThrowable(new AccessDeniedHttpException('The used authentication method is not allowed on this route.', $exception));
            }
        }
    }
    
    /**
     * {@inheritdoc}
     */
    public static function getSubscribedEvents() : array {
        // The priority for authentication must be higher than the highest event
        // subscriber accessing the current user. Especially it must be higher than
        // LanguageRequestSubscriber as LanguageManager accesses the current user if
        // the language module is enabled.
        $events[KernelEvents::REQUEST][] = [
            'onKernelRequestAuthenticate',
            300,
        ];
        // Access check must be performed after routing.
        $events[KernelEvents::REQUEST][] = [
            'onKernelRequestFilterProvider',
            31,
        ];
        $events[KernelEvents::EXCEPTION][] = [
            'onExceptionSendChallenge',
            75,
        ];
        $events[KernelEvents::EXCEPTION][] = [
            'onExceptionAccessDenied',
            80,
        ];
        return $events;
    }

}

Members

Title Modifiers Object type Summary
AuthenticationSubscriber::$accountProxy protected property Account proxy.
AuthenticationSubscriber::$authenticationProvider protected property Authentication provider.
AuthenticationSubscriber::$challengeProvider protected property Authentication challenge provider.
AuthenticationSubscriber::$filter protected property Authentication provider filter.
AuthenticationSubscriber::getSubscribedEvents public static function
AuthenticationSubscriber::onExceptionAccessDenied public function Detect disallowed authentication methods on access denied exceptions.
AuthenticationSubscriber::onExceptionSendChallenge public function Respond with a challenge on access denied exceptions if appropriate.
AuthenticationSubscriber::onKernelRequestAuthenticate public function Authenticates user on request.
AuthenticationSubscriber::onKernelRequestFilterProvider public function Denies access if authentication provider is not allowed on this route.
AuthenticationSubscriber::__construct public function Constructs an authentication subscriber.

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.