Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Deprecate the old authentication mechanisms #41247

Merged
merged 1 commit into from
May 19, 2021
Merged

[Security] Deprecate the old authentication mechanisms #41247

merged 1 commit into from
May 19, 2021

Conversation

chalasr
Copy link
Member

@chalasr chalasr commented May 16, 2021
edited

Q A
Branch? 5.3
Bug fix? no
New feature? no
Deprecations? yes/
Tickets #39308
License MIT
Doc PR todo

Now that the authenticator system proven working well and is considered stable, we can deprecate the old authentication listeners as well as the Guard component (+ integrations).

@chalasr chalasr added this to the 5.3 milestone May 16, 2021
@chalasr chalasr requested a review from wouterj as a code owner May 16, 2021 23:28
@chalasr
Copy link
Member Author

chalasr commented May 17, 2021

Needs some work to make it green.

@chalasr chalasr force-pushed the deprec-old-sec branch 8 times, most recently from d9d281b to 03edd82 Compare May 18, 2021 00:30
@nicolas-grekas
Copy link
Member

Why 5.3? That's for 5.4 to me.

@chalasr
Copy link
Member Author

chalasr commented May 18, 2021

Deprecating the old security system as a late change for 5.3 was discussed on slack with @wouterj and @fabpot.

@wouterj
Copy link
Member

wouterj commented May 18, 2021

The reasoning is similar to #39308: I'm almost certain that we didn't yet test all uses of the old authentication system on the new one. So I want to buy us time to add the missing features/cases in 5.4, before removing the old system in 6.0. Deprecating the old system gives us the most chance to get this type of feedback from bigger applications.

@nicolas-grekas
Copy link
Member

Got it, thanks.
(Rebase needed)

@chalasr
Copy link
Member Author

chalasr commented May 18, 2021

This PR misses deprecating some service definitions, I'm going to finish it tonight.

@chalasr
Copy link
Member Author

chalasr commented May 18, 2021

This is ready.

Note: this PR deprecates the main part of the old system, but it's not exhaustive: there are some classes which won't be needed in 6.0 that this PR does not deprecate. e.g. NoopAuthenticationManager is still needed internally for now.
Why it's not an issue? Fixing the deprecations introduced here implies that you are not using the remaining to-be-deprecated stuff anymore, thus you won't be bothered for the same topic in the next minor.

wouterj
wouterj reviewed May 18, 2021
View reviewed changes
Copy link
Member

@wouterj wouterj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wow, thanks Robin! I feel very sorry for you after seeing all the SecurityBundle tests that needed fixes as well..

Why it's not an issue? Fixing the deprecations introduced here implies that you are not using the remaining to-be-deprecated stuff anymore, thus you won't be bothered for the same topic in the next minor.

Is this also the reason for not having trigger_deprecation() calls in almost all Guard component classes?

src/Symfony/Component/Security/Core/Authentication/AuthenticationManagerInterface.php Outdated Show resolved Hide resolved
src/Symfony/Component/Security/Core/Authentication/AuthenticationManagerInterface.php Show resolved Hide resolved
src/Symfony/Bundle/SecurityBundle/Resources/config/guard.php Outdated Show resolved Hide resolved
src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator.php Outdated Show resolved Hide resolved
@chalasr chalasr force-pushed the deprec-old-sec branch 3 times, most recently from ddcdb9a to 93d4baf Compare May 18, 2021 22:53
@chalasr
Copy link
Member Author

chalasr commented May 18, 2021
edited

Is this also the reason for not having trigger_deprecation() calls in almost all Guard component classes?

@wouterj Nope, that was a mistake. It's fixed now.
The only files that have no trigger_deprecation() calls but only @deprecated annotations are abstract classes and interfaces as it causes such issues:

. 1x: Since symfony/security-guard 5.3: The "Symfony\Component\Security\Guard\Authenticator\AbstractFormLoginAuthenticator" class is deprecated, use the new authenticator system instead.
1x in ClassLoader::loadClass from Composer\Autoload

I asked @nicolas-grekas who confirmed that we have to skip triggering in this case.

Thanks for the review!

@fabpot
Copy link
Member

fabpot commented May 19, 2021

Thank you @chalasr.

@fabpot fabpot merged commit fef06f2 into symfony:5.x May 19, 2021
@fabpot fabpot mentioned this pull request May 19, 2021
Closed
@chalasr chalasr deleted the deprec-old-sec branch May 19, 2021 09:36
@fabpot fabpot mentioned this pull request May 19, 2021
Merged
@jmsche jmsche mentioned this pull request May 21, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wouterj wouterj wouterj left review comments

@derrabus derrabus derrabus left review comments

@fabpot fabpot fabpot approved these changes

Assignees
No one assigned
Labels
Deprecation Security Status: Reviewed
Projects
None yet
Milestone
5.3
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@chalasr @nicolas-grekas @wouterj @fabpot @derrabus @carsonbot