如何自定义访问被拒绝的响应

编辑此页

在 Symfony 中，您可以抛出一个 AccessDeniedException 异常来禁止用户访问。Symfony 将处理此异常并根据身份验证状态生成响应。

如果用户未通过身份验证（或匿名身份验证），则使用身份验证入口点来生成响应（通常是重定向到登录页面或 401 Unauthorized 响应）；
如果用户已通过身份验证，但没有所需的权限，则会生成 403 Forbidden 响应。

自定义未授权响应

您需要创建一个实现 AuthenticationEntryPointInterface 的类。此接口有一个方法 (start())，每当未经身份验证的用户尝试访问受保护的资源时，都会调用该方法。

        1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
        // src/Security/AuthenticationEntryPoint.php
namespace App\Security;

use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;

class AuthenticationEntryPoint implements AuthenticationEntryPointInterface
{
    public function __construct(
        private UrlGeneratorInterface $urlGenerator,
    ) {
    }

    public function start(Request $request, ?AuthenticationException $authException = null): RedirectResponse
    {
        // add a custom flash message and redirect to the login page
        $request->getSession()->getFlashBag()->add('note', 'You have to login in order to access this page.');

        return new RedirectResponse($this->urlGenerator->generate('security_login'));
    }
}
    

如果您正在使用默认的 services.yaml 配置，那么就完成了！否则，您必须在容器中注册此服务。

现在，将此服务 ID 配置为防火墙的入口点。

        1
2
3
4
5
6
7
        # config/packages/security.yaml
firewalls:
    # ...

    main:
        # ...
        entry_point: App\Security\AuthenticationEntryPoint
    

        1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
        <!-- config/packages/security.xml -->
<?xml version="1.0" encoding="UTF-8" ?>
<srv:container xmlns="https://symfony.ac.cn/schema/dic/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:srv="https://symfony.ac.cn/schema/dic/services"
    xsi:schemaLocation="https://symfony.ac.cn/schema/dic/services
        https://symfony.ac.cn/schema/dic/services/services-1.0.xsd">

    <config>
        <firewall name="main"
            entry-point="App\Security\AuthenticationEntryPoint"
        >
            <!-- ... -->
        </firewall>
    </config>
</srv:container>
    

        1
2
3
4
5
6
7
8
9
10
        // config/packages/security.php
use App\Security\AuthenticationEntryPoint;
use Symfony\Config\SecurityConfig;

return static function (SecurityConfig $security): void {
    $security->firewall('main')
        // ....
        ->entryPoint(AuthenticationEntryPoint::class)
    ;
};
    

自定义禁止访问响应

创建一个实现 AccessDeniedHandlerInterface 的类。此接口定义了一个名为 handle() 的方法，您可以在其中实现当当前用户访问被拒绝时应执行的任何逻辑（例如，发送邮件、记录消息或通常返回自定义响应）。

        1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
        // src/Security/AccessDeniedHandler.php
namespace App\Security;

use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
use Symfony\Component\Security\Http\Authorization\AccessDeniedHandlerInterface;

class AccessDeniedHandler implements AccessDeniedHandlerInterface
{
    public function handle(Request $request, AccessDeniedException $accessDeniedException): ?Response
    {
        // ...

        return new Response($content, 403);
    }
}
    

如果您正在使用默认的 services.yaml 配置，那么您就完成了！Symfony 将自动了解您的新服务。然后，您可以在防火墙下配置它。

        1
2
3
4
5
6
7
        # config/packages/security.yaml
firewalls:
    # ...

    main:
        # ...
        access_denied_handler: App\Security\AccessDeniedHandler
    

        1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
        <!-- config/packages/security.xml -->
<?xml version="1.0" encoding="UTF-8" ?>
<srv:container xmlns="https://symfony.ac.cn/schema/dic/security"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:srv="https://symfony.ac.cn/schema/dic/services"
    xsi:schemaLocation="https://symfony.ac.cn/schema/dic/services
        https://symfony.ac.cn/schema/dic/services/services-1.0.xsd">

    <config>
        <firewall name="main"
            access-denied-handler="App\Security\AccessDeniedHandler"
        >
            <!-- ... -->
        </firewall>
    </config>
</srv:container>
    

        1
2
3
4
5
6
7
8
9
10
        // config/packages/security.php
use App\Security\AccessDeniedHandler;
use Symfony\Config\SecurityConfig;

return static function (SecurityConfig $security): void {
    $security->firewall('main')
        // ....
        ->accessDeniedHandler(AccessDeniedHandler::class)
    ;
};
    

自定义所有访问被拒绝的响应

在某些情况下，您可能想要自定义两个响应，或者为每个 AccessDeniedException 执行特定操作（例如，日志记录）。在这种情况下，配置一个 kernel.exception 监听器。

        1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
        // src/EventListener/AccessDeniedListener.php
namespace App\EventListener;

use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Event\ExceptionEvent;
use Symfony\Component\HttpKernel\KernelEvents;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;

class AccessDeniedListener implements EventSubscriberInterface
{
    public static function getSubscribedEvents(): array
    {
        return [
            // the priority must be greater than the Security HTTP
            // ExceptionListener, to make sure it's called before
            // the default exception listener
            KernelEvents::EXCEPTION => ['onKernelException', 2],
        ];
    }

    public function onKernelException(ExceptionEvent $event): void
    {
        $exception = $event->getThrowable();
        if (!$exception instanceof AccessDeniedException) {
            return;
        }

        // ... perform some action (e.g. logging)

        // optionally set the custom response
        $event->setResponse(new Response(null, 403));

        // or stop propagation (prevents the next exception listeners from being called)
        //$event->stopPropagation();
    }
}
    

本作品，包括代码示例，根据 Creative Commons BY-SA 3.0 许可获得许可。

版本