symfony
diff --git a/‎Firewall/AbstractAuthenticationListener.php
Lines changed: 10 additions & 6 deletions b/‎Firewall/AbstractAuthenticationListener.php
Lines changed: 10 additions & 6 deletions
diff --git a/‎Firewall/AbstractListener.php
Lines changed: 42 additions & 0 deletions b/‎Firewall/AbstractListener.php
Lines changed: 42 additions & 0 deletions
diff --git a/‎Firewall/AbstractPreAuthenticatedListener.php
Lines changed: 19 additions & 8 deletions b/‎Firewall/AbstractPreAuthenticatedListener.php
Lines changed: 19 additions & 8 deletions
diff --git a/‎Firewall/AccessListener.php
Lines changed: 18 additions & 4 deletions b/‎Firewall/AccessListener.php
Lines changed: 18 additions & 4 deletions
diff --git a/‎Firewall/AnonymousAuthenticationListener.php
Lines changed: 11 additions & 2 deletions b/‎Firewall/AnonymousAuthenticationListener.php
Lines changed: 11 additions & 2 deletions
diff --git a/‎Firewall/BasicAuthenticationListener.php
Lines changed: 10 additions & 2 deletions b/‎Firewall/BasicAuthenticationListener.php
Lines changed: 10 additions & 2 deletions
diff --git a/‎Firewall/ChannelListener.php
Lines changed: 16 additions & 12 deletions b/‎Firewall/ChannelListener.php
Lines changed: 16 additions & 12 deletions
diff --git a/‎Firewall/ContextListener.php
Lines changed: 21 additions & 2 deletions b/‎Firewall/ContextListener.php
Lines changed: 21 additions & 2 deletions
@@ -48,7 +48,7 @@
  * @author Fabien Potencier <[email protected]>
  * @author Johannes M. Schmitt <[email protected]>
  */
-abstract class AbstractAuthenticationListener
+abstract class AbstractAuthenticationListener extends AbstractListener
 {
     protected $options;
     protected $logger;
@@ -102,20 +102,24 @@ public function setRememberMeServices(RememberMeServicesInterface $rememberMeSer
         $this->rememberMeServices = $rememberMeServices;
     }
 
+    /**
+     * {@inheritdoc}
+     */
+    public function supports(Request $request): ?bool
+    {
+        return $this->requiresAuthentication($request);
+    }
+
     /**
      * Handles form based authentication.
      *
      * @throws \RuntimeException
      * @throws SessionUnavailableException
      */
-    public function __invoke(RequestEvent $event)
+    public function authenticate(RequestEvent $event)
     {
         $request = $event->getRequest();
 
-        if (!$this->requiresAuthentication($request)) {
-            return;
-        }
-
         if (!$request->hasSession()) {
             throw new \RuntimeException('This authentication method requires a session.');
         }
 
@@ -0,0 +1,42 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\Firewall;
+
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Event\RequestEvent;
+
+/**
+ * A base class for listeners that can tell whether they should authenticate incoming requests.
+ *
+ * @author Nicolas Grekas <[email protected]>
+ */
+abstract class AbstractListener
+{
+    final public function __invoke(RequestEvent $event)
+    {
+        if (false !== $this->supports($event->getRequest())) {
+            $this->authenticate($event);
+        }
+    }
+
+    /**
+     * Tells whether the authenticate() method should be called or not depending on the incoming request.
+     *
+     * Returning null means authenticate() can be called lazily when accessing the token storage.
+     */
+    abstract public function supports(Request $request): ?bool;
+
+    /**
+     * Does whatever is required to authenticate the request, typically calling $event->setResponse() internally.
+     */
+    abstract public function authenticate(RequestEvent $event);
+}
@@ -34,8 +34,8 @@
  *
  * @internal
  */
-abstract class AbstractPreAuthenticatedListener
-{
+abstract class AbstractPreAuthenticatedListener extends AbstractListener
+
     protected $logger;
     private $tokenStorage;
     private $authenticationManager;
@@ -53,20 +53,31 @@ public function __construct(TokenStorageInterface $tokenStorage, AuthenticationM
     }
 
     /**
-     * Handles pre-authentication.
+     * {@inheritdoc}
      */
-    public function __invoke(RequestEvent $event)
+    public function supports(Request $request): ?bool
     {
-        $request = $event->getRequest();
-
         try {
-            list($user, $credentials) = $this->getPreAuthenticatedData($request);
+            $request->attributes->set('_pre_authenticated_data', $this->getPreAuthenticatedData($request));
         } catch (BadCredentialsException $e) {
             $this->clearToken($e);
 
-            return;
+            return false;
         }
 
+        return true;
+    }
+
+    /**
+     * Handles pre-authentication.
+     */
+    public function authenticate(RequestEvent $event)
+    {
+        $request = $event->getRequest();
+
+        [$user, $credentials] = $request->attributes->get('_pre_authenticated_data');
+        $request->attributes->remove('_pre_authenticated_data');
+
         if (null !== $this->logger) {
             $this->logger->debug('Checking current security token.', ['token' => (string) $this->tokenStorage->getToken()]);
         }
 
@@ -11,10 +11,12 @@
 
 namespace Symfony\Component\Security\Http\Firewall;
 
+use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Event\RequestEvent;
 use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
+use Symfony\Component\Security\Core\Authorization\Voter\AuthenticatedVoter;
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use Symfony\Component\Security\Core\Exception\AuthenticationCredentialsNotFoundException;
 use Symfony\Component\Security\Http\AccessMapInterface;
@@ -27,7 +29,7 @@
  *
  * @final
  */
-class AccessListener
+class AccessListener extends AbstractListener
 {
     private $tokenStorage;
     private $accessDecisionManager;
@@ -42,23 +44,35 @@ public function __construct(TokenStorageInterface $tokenStorage, AccessDecisionM
         $this->authManager = $authManager;
     }
 
+    /**
+     * {@inheritdoc}
+     */
+    public function supports(Request $request): ?bool
+    {
+        [$attributes] = $this->map->getPatterns($request);
+        $request->attributes->set('_access_control_attributes', $attributes);
+
+        return $attributes && [AuthenticatedVoter::IS_AUTHENTICATED_ANONYMOUSLY] !== $attributes ? true : null;
+    }
+
     /**
      * Handles access authorization.
      *
      * @throws AccessDeniedException
      * @throws AuthenticationCredentialsNotFoundException
      */
-    public function __invoke(RequestEvent $event)
+    public function authenticate(RequestEvent $event)
     {
         if (!$event instanceof LazyResponseEvent && null === $token = $this->tokenStorage->getToken()) {
             throw new AuthenticationCredentialsNotFoundException('A Token was not found in the TokenStorage.');
         }
 
         $request = $event->getRequest();
 
-        list($attributes) = $this->map->getPatterns($request);
+        $attributes = $request->attributes->get('_access_control_attributes');
+        $request->attributes->remove('_access_control_attributes');
 
-        if (!$attributes) {
+        if (!$attributes || ([AuthenticatedVoter::IS_AUTHENTICATED_ANONYMOUSLY] === $attributes && $event instanceof LazyResponseEvent)) {
             return;
         }
 
 
@@ -12,6 +12,7 @@
 namespace Symfony\Component\Security\Http\Firewall;
 
 use Psr\Log\LoggerInterface;
+use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Event\RequestEvent;
 use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
 use Symfony\Component\Security\Core\Authentication\Token\AnonymousToken;
@@ -26,7 +27,7 @@
  *
  * @final
  */
-class AnonymousAuthenticationListener
+class AnonymousAuthenticationListener extends AbstractListener
 {
     private $tokenStorage;
     private $secret;
@@ -41,10 +42,18 @@ public function __construct(TokenStorageInterface $tokenStorage, string $secret,
         $this->logger = $logger;
     }
 
+    /**
+     * {@inheritdoc}
+     */
+    public function supports(Request $request): ?bool
+    {
+        return null; // always run authenticate() lazily with lazy firewalls
+    }
+
     /**
      * Handles anonymous authentication.
      */
-    public function __invoke(RequestEvent $event)
+    public function authenticate(RequestEvent $event)
     {
         if (null !== $this->tokenStorage->getToken()) {
             return;
 
@@ -29,7 +29,7 @@
  *
  * @final
  */
-class BasicAuthenticationListener
+class BasicAuthenticationListener extends AbstractListener
 {
     private $tokenStorage;
     private $authenticationManager;
@@ -53,10 +53,18 @@ public function __construct(TokenStorageInterface $tokenStorage, AuthenticationM
         $this->ignoreFailure = false;
     }
 
+    /**
+     * {@inheritdoc}
+     */
+    public function supports(Request $request): ?bool
+    {
+        return null !== $request->headers->get('PHP_AUTH_USER');
+    }
+
     /**
      * Handles basic authentication.
      */
-    public function __invoke(RequestEvent $event)
+    public function authenticate(RequestEvent $event)
     {
         $request = $event->getRequest();
 
 
@@ -12,6 +12,7 @@
 namespace Symfony\Component\Security\Http\Firewall;
 
 use Psr\Log\LoggerInterface;
+use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Event\RequestEvent;
 use Symfony\Component\Security\Http\AccessMapInterface;
 use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
@@ -24,7 +25,7 @@
  *
  * @final
  */
-class ChannelListener
+class ChannelListener extends AbstractListener
 {
     private $map;
     private $authenticationEntryPoint;
@@ -40,10 +41,8 @@ public function __construct(AccessMapInterface $map, AuthenticationEntryPointInt
     /**
      * Handles channel management.
      */
-    public function __invoke(RequestEvent $event)
+    public function supports(Request $request): ?bool
     {
-        $request = $event->getRequest();
-
         list(, $channel) = $this->map->getPatterns($request);
 
         if ('https' === $channel && !$request->isSecure()) {
@@ -57,21 +56,26 @@ public function __invoke(RequestEvent $event)
                 }
             }
 
-            $response = $this->authenticationEntryPoint->start($request);
-
-            $event->setResponse($response);
-
-            return;
+            return true;
         }
 
         if ('http' === $channel && $request->isSecure()) {
             if (null !== $this->logger) {
                 $this->logger->info('Redirecting to HTTP.');
             }
 
-            $response = $this->authenticationEntryPoint->start($request);
-
-            $event->setResponse($response);
+            return true;
         }
+
+        return false;
+    }
+
+    public function authenticate(RequestEvent $event)
+    {
+        $request = $event->getRequest();
+
+        $response = $this->authenticationEntryPoint->start($request);
+
+        $event->setResponse($response);
     }
 }
@@ -29,6 +29,7 @@
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 use Symfony\Component\Security\Http\Event\DeauthenticatedEvent;
+use Symfony\Component\Security\Http\RememberMe\RememberMeServicesInterface;
 use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
 
 /**
@@ -39,7 +40,7 @@
  *
  * @final
  */
-class ContextListener
+class ContextListener extends AbstractListener
 {
     private $tokenStorage;
     private $sessionKey;
@@ -48,6 +49,7 @@ class ContextListener
     private $dispatcher;
     private $registered;
     private $trustResolver;
+    private $rememberMeServices;
     private $sessionTrackerEnabler;
 
     /**
@@ -68,10 +70,18 @@ public function __construct(TokenStorageInterface $tokenStorage, iterable $userP
         $this->sessionTrackerEnabler = $sessionTrackerEnabler;
     }
 
+    /**
+     * {@inheritdoc}
+     */
+    public function supports(Request $request): ?bool
+    {
+        return null; // always run authenticate() lazily with lazy firewalls
+    }
+
     /**
      * Reads the Security Token from the session.
      */
-    public function __invoke(RequestEvent $event)
+    public function authenticate(RequestEvent $event)
     {
         if (!$this->registered && null !== $this->dispatcher && $event->isMasterRequest()) {
             $this->dispatcher->addListener(KernelEvents::RESPONSE, [$this, 'onKernelResponse']);
@@ -112,6 +122,10 @@ public function __invoke(RequestEvent $event)
 
         if ($token instanceof TokenInterface) {
             $token = $this->refreshUser($token);
+
+            if (!$token && $this->rememberMeServices) {
+                $this->rememberMeServices->loginFail($request);
+            }
         } elseif (null !== $token) {
             if (null !== $this->logger) {
                 $this->logger->warning('Expected a security token from the session, got something else.', ['key' => $this->sessionKey, 'received' => $token]);
@@ -282,4 +296,9 @@ public static function handleUnserializeCallback($class)
     {
         throw new \ErrorException('Class not found: '.$class, 0x37313bc);
     }
+
+    public function setRememberMeServices(RememberMeServicesInterface $rememberMeServices)
+    {
+        $this->rememberMeServices = $rememberMeServices;
+    }
 }