I'm working on a Symfony2 application with an API available for other applications.
I want to secure the access to the API. For this part I have no problem.
But I have to make this connection available not with the usual login/password couple but just with an API key.
So I went to the official site and its awesome cookbook for creating a custom authentication provider, just what I need I said to myself.
The example was not what I needed but I decided to adapt it to my needs.
Unfortunately I didn't succeed.
I'll give you my code and I will explain my problem after.
Here is my Factory for creating the authentication provider and the listener:
namespace Pmsipilot\UserBundle\DependencyInjection\Security\Factory;
use Symfony\Component\DependencyInjection\ContainerBuilder;
use Symfony\Component\DependencyInjection\Reference;
use Symfony\Component\DependencyInjection\DefinitionDecorator;
use Symfony\Component\Config\Definition\Builder\NodeDefinition;
use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SecurityFactoryInterface;
class ApiFactory implements SecurityFactoryInterface
* #param \Symfony\Component\DependencyInjection\ContainerBuilder $container
* #param string $id
* #param aray $config
* #param string $userProvider
* #param string $defaultEntryPoint
* #return array
public function create(ContainerBuilder $container, $id, $config, $userProvider, $defaultEntryPoint)
$providerId = 'security.authentification.provider.api.'.$id;
->setDefinition($providerId, new DefinitionDecorator('api.security.authentification.provider'))
->replaceArgument(0, new Reference($userProvider))
$listenerId = 'security.authentification.listener.api.'.$id;
$listener = $container->setDefinition($listenerId, new DefinitionDecorator('api.security.authentification.listener'));
return array($providerId, $listenerId, $defaultEntryPoint);
* #return string
public function getPosition()
return 'http';
* #return string
public function getKey()
return 'api';
* #param \Symfony\Component\Config\Definition\Builder\NodeDefinition $node
* #return void
public function addConfiguration(NodeDefinition $node)
Next my listener code:
namespace Pmsipilot\UserBundle\Security\Firewall;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Event\GetResponseEvent;
use Symfony\Component\Security\Http\Firewall\ListenerInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\SecurityContextInterface;
use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Pmsipilot\UserBundle\Security\WsseUserToken;
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
use Symfony\Component\Security\Core\Exception\BadCredentialsException;
class ApiListener implements ListenerInterface
protected $securityContext;
protected $authenticationManager;
* Constructor for listener. The parameters are defined in services.xml.
* #param \Symfony\Component\Security\Core\SecurityContextInterface $securityContext
* #param \Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface $authenticationManager
public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager)
$this->securityContext = $securityContext;
$this->authenticationManager = $authenticationManager;
* Handles login request.
* #param \Symfony\Component\HttpKernel\Event\GetResponseEvent $event
* #return void
public function handle(GetResponseEvent $event)
$request = $event->getRequest();
$securityToken = $this->securityContext->getToken();
if($securityToken instanceof AuthenticationToken)
catch(\Exception $exception)
My authentication provider code:
namespace Pmsipilot\UserBundle\Security\Authentication\Provider;
use Symfony\Component\Security\Core\Authentication\Provider\AuthenticationProviderInterface;
use Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface;
use Symfony\Component\Security\Core\User\UserCheckerInterface;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
use Symfony\Component\Security\Core\Exception\AuthenticationServiceException;
use Symfony\Component\Security\Core\Exception\BadCredentialsException;
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
class ApiProvider implements AuthenticationProviderInterface
private $userProvider;
* Constructor.
* #param \Symfony\Component\Security\Core\User\UserProviderInterface $userProvider An UserProviderInterface instance
public function __construct(UserProviderInterface $userProvider)
$this->userProvider = $userProvider;
* #param string $username
* #param \Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken $token
* #return mixed
* #throws \Symfony\Component\Security\Core\Exception\AuthenticationServiceException|\Symfony\Component\Security\Core\Exception\UsernameNotFoundException
protected function retrieveUser($username, UsernamePasswordToken $token)
$user = $token->getUser();
if($user instanceof UserInterface)
return $user;
$user = $this->userProvider->loadUserByApiKey($username, $token->getCredentials());
if(!$user instanceof UserInterface)
throw new AuthenticationServiceException('The user provider must return a UserInterface object.');
return $user;
catch (\Exception $exception)
throw new AuthenticationServiceException($exception->getMessage(), $token, 0, $exception);
* #param TokenInterface $token
* #return null|\Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken
* #throws \Symfony\Component\Security\Core\Exception\AuthenticationServiceException|\Symfony\Component\Security\Core\Exception\BadCredentialsException|\Symfony\Component\Security\Core\Exception\UsernameNotFoundException
function authenticate(TokenInterface $token)
$username = $token->getUsername();
throw new AuthenticationServiceException('No username given.');
$user = $this->retrieveUser($username, $token);
if(!$user instanceof UserInterface)
throw new AuthenticationServiceException('retrieveUser() must return a UserInterface.');
$authenticatedToken = new UsernamePasswordToken($user, null, 'api', $user->getRoles());
return $authenticatedToken;
catch(\Exception $exception)
throw $exception;
* #param TokenInterface $token
* #return bool
public function supports(TokenInterface $token)
return true;
To use these two objects I used a yml file to configure them:
<container xmlns="http://symfony.com/schema/dic/services"
xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
<service id="pmsipilot.api.security.authentication.factory" class="Pmsipilot\UserBundle\DependencyInjection\Security\Factory\ApiFactory" public="false">
<tag name="security.listener.factory" />
Now the authentication provider code:
namespace Pmsipilot\UserBundle\Security\Authentication\Provider;
use Symfony\Component\Security\Core\Authentication\Provider\AuthenticationProviderInterface;
use Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface;
use Symfony\Component\Security\Core\User\UserCheckerInterface;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
use Symfony\Component\Security\Core\Exception\AuthenticationServiceException;
use Symfony\Component\Security\Core\Exception\BadCredentialsException;
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
class ApiProvider implements AuthenticationProviderInterface
private $userProvider;
* Constructor.
* #param \Symfony\Component\Security\Core\User\UserProviderInterface $userProvider An UserProviderInterface instance
public function __construct(UserProviderInterface $userProvider)
$this->userProvider = $userProvider;
* #param string $username
* #param \Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken $token
* #return mixed
* #throws \Symfony\Component\Security\Core\Exception\AuthenticationServiceException|\Symfony\Component\Security\Core\Exception\UsernameNotFoundException
protected function retrieveUser($username, UsernamePasswordToken $token)
$user = $token->getUser();
if($user instanceof UserInterface)
return $user;
$user = $this->userProvider->loadUserByApiKey($username, $token->getCredentials());
if(!$user instanceof UserInterface)
throw new AuthenticationServiceException('The user provider must return a UserInterface object.');
return $user;
catch (\Exception $exception)
throw new AuthenticationServiceException($exception->getMessage(), $token, 0, $exception);
* #param TokenInterface $token
* #return null|\Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken
* #throws \Symfony\Component\Security\Core\Exception\AuthenticationServiceException|\Symfony\Component\Security\Core\Exception\BadCredentialsException|\Symfony\Component\Security\Core\Exception\UsernameNotFoundException
function authenticate(TokenInterface $token)
$username = $token->getUsername();
throw new AuthenticationServiceException('No username given.');
$user = $this->retrieveUser($username, $token);
if(!$user instanceof UserInterface)
throw new AuthenticationServiceException('retrieveUser() must return a UserInterface.');
$authenticatedToken = new UsernamePasswordToken($user, null, 'api', $user->getRoles());
return $authenticatedToken;
catch(\Exception $exception)
throw $exception;
* #param TokenInterface $token
* #return bool
public function supports(TokenInterface $token)
return true;
Just FYI my user provider:
namespace Pmsipilot\UserBundle\Security\Provider;
use Propel\PropelBundle\Security\User\ModelUserProvider;
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
use \Symfony\Component\Security\Core\Encoder\MessageDigestPasswordEncoder;
class ApiProvider extends ModelUserProvider
* Constructeur
public function __construct()
parent::__construct('Pmsipilot\UserBundle\Model\User', 'Pmsipilot\UserBundle\Proxy\User', 'username');
* #param string $apikey
* #return mixed
* #throws \Symfony\Component\Security\Core\Exception\UsernameNotFoundException
public function loadUserByApiKey($apikey)
$queryClass = $this->queryClass;
$query = $queryClass::create();
$user = $query
if(null === $user)
throw new UsernameNotFoundException(sprintf('User with "%s" api key not found.', $apikey));
$proxyClass = $this->proxyClass;
return new $proxyClass($user);
And for the configuration part my security.yml:
PmsipilotFactory: "%kernel.root_dir%/../src/Pmsipilot/UserBundle/Resources/config/security_factories.xml"
id: pmsipilot.security.user.provider
id: api.security.user.provider
Pmsipilot\UserBundle\Proxy\User: sha512
pattern: ^/(_(profiler|wdt)|css|images|js|favicon.ico)/
security: false
provider: api_provider
access_denied_url: /unauthorizedApi
pattern: ^/api
api: true
http_basic: true
stateless: true
provider: interface_provider
access_denied_url: /unauthorized
pattern: ^/
anonymous: ~
login_path: /login
check_path: /login_check
use_forward: true
default_target_path: /
logout: ~
- { path: ^/api, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: SUPER_ADMIN }
Wow it's a lot of code, I hope it's not too boring.
My problem here is that my custom authentication provider is called by the two firewalls api and interface instead of just by the api one.
And of course they don't behave as I wanted.
I didn't find anything about such an issue.
I know I made a mistake, otherwise it will be working, but where and why I don't know.
I also found this tutorial but it didn't help much more.
Of course, don't hesitate to suggest me if there is another solution for using another authentication provider than the default one.
So I will answer my own question because I found the solution to my problem and I'll tell you how I solved it.
There was some mistake in my example and I understood them searching in the Symfony code.
Like the key returned by the getKey method of the Factory class. I found that the api one I've created was for me not an other parameter to my security.yml file, but a replacement to the http_basic one.
That's why I'm having some trouble using two providers instead of just one, because I got two keys (api and http_basic) which both used a provider. In fact I think it's the reason to that problem.
To make it simple I follow the Symfony tutorial, except for the token class but I replaced the code of the new classes by the code of the Symfony classes.
In a kind of way I recreated the http basic authentication of Symfony to make it posssible to overload.
And here I am, I could do what I want, configure a different type of http authentication based on the Symfony one but with several changes.
This story helped me because know I know that the best way to understand Symfony principles is to go deeper in the code and look after.
I have found much simpler solution. In config.yml you can point to your custom auth. provider class, like this:
security.authentication.provider.dao.class: App\Security\AuthenticationProvider\MyDaoAuthenticationProvider
Of course MyDaoAuthenticationProvider have to extend Symfony\Component\Security\Core\Authentication\Provider\UserAuthenticationProvider
I have come upon your problem, and it seems that you did your code well.
The thing that could also be causing problems is the order of firewall definitions in security.xml.
Try to imagine, if there is some defined Listener(firewall-entry) before your CustomListener and it returns some Response, it will break handlers loop.Eventually it will cause that your CustomListener is registered, but handle method will never be called.
Maybe a little late (5 years later actually), but you have a typo in your Factory.
You wrote:
$providerId = 'security.authentification.provider.api.'.$id;
Where "authentification" has to be authentication
Symfony 5 has changed its guard authentication method to a new Passport based one, using the new security config: enable_authenticator_manager: true;
I would like to know how to authenticate a user in the Registration form method in my controller, after the user is persisted by the ORM (Doctrine);
I have succeeded in authenticating the user using the login form, but I still do not know how to manually do this.
As per Cerad's comment, here is the full answer.
Below is only the part of the code related to the question & answer. These are not the full files.
Also, this is only for Symfony ^5.2 that is not using guard to authenticate the user.
/* config/packages/security.yaml */
enable_authenticator_manager: true
- App\Security\SecurityAuthenticator
/* src/Security/SecurityAuthenticator.php */
use Symfony\Component\Security\Http\Authenticator\AbstractLoginFormAuthenticator;
/* automatically generated with the make:auth command,
the important part is to undestand that this is not a Guard implement
for the Authenticator class */
class SecurityAuthenticator extends AbstractLoginFormAuthenticator
/* src/Controller/RegistrationController.php */
use App\Entity\User;
use App\Form\RegistrationFormType;
use App\Security\SecurityAuthenticator;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Routing\Annotation\Route;
use Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface;
use Symfony\Component\Security\Http\Authentication\UserAuthenticatorInterface;
class RegistrationController extends AbstractController
* #Route("/register", name="app_register")
public function register(
Request $request,
UserPasswordEncoderInterface $passwordEncoder,
UserAuthenticatorInterface $authenticator,
SecurityAuthenticator $formAuthenticator): Response
/* Automatically generated by make:registration-form, but some changes are
needed, like the auto-wiring of the UserAuthenticatorInterface and
SecurityAuthenticator */
$user = new User();
$form = $this->createForm(RegistrationFormType::class, $user);
if ($form->isSubmitted() && $form->isValid()) {
// encode the plain password
$user->setPassword($passwordEncoder->encodePassword($user, $form->get('password')->getData()));
$entityManager = $this->getDoctrine()->getManager();
// substitute the previous line (redirect response) with this one.
return $authenticator->authenticateUser(
return $this->render('registration/register.html.twig', [
'registrationForm' => $form->createView(),
For Symfony 6 find working solution, based on #Cerad's comment about UserAuthenticatorInterface::authenticateUser().
I declared my RegisterController in services.yaml with important argument (it is the reason):
$authenticator: '#security.authenticator.form_login.main'
So my RegisterController now looks like:
class RegisterController extends AbstractController
public function __construct(
private FormLoginAuthenticator $authenticator
) {
#[Route(path: '/register', name: 'register')]
public function register(
Request $request,
UserAuthenticatorInterface $authenticatorManager,
): RedirectResponse|Response {
// some create logic
// auth, not sure if RememberMeBadge works, keep testing
$authenticatorManager->authenticateUser($user, $this->authenticator, $request, [new RememberMeBadge()]);
Symfony 5.3 it's work for me
public function register(Request $request, Security $security, UserPasswordEncoderInterface $passwordEncoder, EventDispatcherInterface $dispatcher) {
$token = new UsernamePasswordToken($user, null, 'main', $user->getRoles());
$event = new SecurityEvents($request);
$dispatcher->dispatch($event, SecurityEvents::INTERACTIVE_LOGIN);
return $this->redirectToRoute('home');
Here's my go at it, allowing you to authenticate a user, and also attach attributes to the generated token:
// src/Service/UserService.php
namespace App\Service;
use App\Entity\User;
use App\Security\LoginFormAuthenticator;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
use Symfony\Component\Security\Http\Authentication\AuthenticatorManager;
use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
use Symfony\Component\Security\Http\Authenticator\InteractiveAuthenticatorInterface;
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
use Symfony\Component\Security\Http\Event\AuthenticationTokenCreatedEvent;
use Symfony\Component\Security\Http\Event\InteractiveLoginEvent;
use Symfony\Component\Security\Http\Event\LoginSuccessEvent;
use Symfony\Component\Security\Http\SecurityEvents;
use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
class UserService
private AuthenticatorInterface $authenticator;
private TokenStorageInterface $tokenStorage;
private EventDispatcherInterface $eventDispatcher;
// This (second parameter) is where you specify your own authenticator,
// if you have defined one; or use the built-in you're using
public function __construct(
LoginFormAuthenticator $authenticator,
TokenStorageInterface $tokenStorage,
EventDispatcherInterface $eventDispatcher
) {
$this->authenticator = $authenticator;
$this->tokenStorage = $tokenStorage;
$this->eventDispatcher = $eventDispatcher;
* #param User $user
* #param Request $request
* #param ?array $attributes
* #return ?Response
public function authenticate(User $user, Request $request, array $attributes = []): ?Response
$firewallName = 'main';
/** #see AuthenticatorManager::authenticateUser() */
$passport = new SelfValidatingPassport(
new UserBadge($user->getUserIdentifier(), function () use ($user) {
return $user;
$token = $this->authenticator->createAuthenticatedToken($passport, $firewallName);
/** #var TokenInterface $token */
$token = $this->eventDispatcher->dispatch(
new AuthenticationTokenCreatedEvent($token, $passport)
/** #see AuthenticatorManager::handleAuthenticationSuccess() */
$response = $this->authenticator->onAuthenticationSuccess($request, $token, $firewallName);
if ($this->authenticator instanceof InteractiveAuthenticatorInterface && $this->authenticator->isInteractive()) {
$loginEvent = new InteractiveLoginEvent($request, $token);
$this->eventDispatcher->dispatch($loginEvent, SecurityEvents::INTERACTIVE_LOGIN);
$loginSuccessEvent = new LoginSuccessEvent(
return $loginSuccessEvent->getResponse();
Largely inspired from AuthenticatorManager::authenticateUser() and AuthenticatorManager::handleAuthenticationSuccess().
This might work depending on your setup. Note that main in the authenticateUserAndHandleSuccess() method is the name of my firewall in config/packages/security.yaml and LoginFormAuthenticator is the authenticator I created using bin/console make:auth.
* #Route("/register", name="app_register")
* #param Request $request
* #param EntityManagerInterface $entityManager
* #param GuardAuthenticatorHandler $handler
* #param LoginFormAuthenticator $authenticator
* #param UserPasswordEncoderInterface $encoder
* #return Response
public function register(
Request $request, EntityManagerInterface $entityManager, GuardAuthenticatorHandler $handler,
LoginFormAuthenticator $authenticator, UserPasswordEncoderInterface $encoder
): Response {
$user = new User();
$form = $this->createForm(RegisterType::class, $user);
if ($form->isSubmitted() && $form->isValid()) {
$plainPassword = $form->get('plainPassword')->getData();
$user->setPassword($encoder->encodePassword($user, $plainPassword));
$handler->authenticateUserAndHandleSuccess($user, $request, $authenticator, 'main');
return $this->render('security/register.html.twig', [
'form' => $form->createView()
I'm pretty new to Symfony in general, I mostly used it because I needed to do something secure very fast, and also to discover Symfony 4.
I'm trying to make a secure connexion with the Security recipe but I'm facing two major problems (probably related) and a small one.
First, I tried to define the salt as nullable but it's still NOT NULL in db. Here's my definition of the column :
* #ORM\Column(name="salt", type="string", nullable=true)
private $salt;
So now the big problems : Passwords I add are not hashed and trying to connect returns error 500
I tried to follow the documentation and here are :
My Entity
use Doctrine\ORM\Mapping as ORM;
use PhpParser\Node\Scalar\String_;
use Symfony\Component\Security\Core\User\UserInterface;
* #ORM\Table(name="app_user")
* #ORM\Entity(repositoryClass="App\Repository\UserRepository")
class User implements UserInterface, \Serializable
* #ORM\Column(type="integer")
* #ORM\Id
* #ORM\GeneratedValue(strategy="AUTO")
private $id;
* #ORM\Column(type="string", length=25, unique=true)
private $username;
* #ORM\Column(type="string", length=255)
private $password;
* #ORM\Column(type="string", length=254, unique=true, nullable=true)
private $email;
* #ORM\Column(name="is_active", type="boolean")
private $isActive;
* #ORM\Column(name="salt", type="string", nullable=true)
private $salt;
* #ORM\Column(name="alias", type="string")
private $alias;
* #return mixed
public function getAlias()
return $this->alias;
* #param mixed $alias
public function setAlias($alias): void
$this->alias = $alias;
public function __construct()
$this->isActive = true;
// may not be needed, see section on salt below
// $this->salt = md5(uniqid('', true));
public function getUsername()
return $this->username;
public function getSalt() :String
// you *may* need a real salt depending on your encoder
// see section on salt below
return $this->salt;
public function getPassword()
return $this->password;
public function getRoles()
return array('ROLE_USER');
public function eraseCredentials()
/** #see \Serializable::serialize() */
public function serialize()
return serialize([
// see section on salt below
// $this->salt
/** #see \Serializable::unserialize() */
public function unserialize($serialized)
list (
// see section on salt below
// $this->salt
) = unserialize($serialized, ['allowed_classes' => false]);
* #return mixed
public function getId()
return $this->id;
* #param mixed $id
public function setId($id): void
$this->id = $id;
* #return mixed
public function getEmail()
return $this->email;
* #param mixed $email
public function setEmail($email): void
$this->email = $email;
* #return mixed
public function getisActive()
return $this->isActive;
* #param mixed $isActive
public function setIsActive($isActive): void
$this->isActive = $isActive;
* #param mixed $username
public function setUsername($username): void
$this->username = $username;
* #param mixed $password
public function setPassword($password): void
$this->password = $password;
* #param mixed $salt
public function setSalt($salt): void
$this->salt = $salt;
My Controllers
namespace App\Controller;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Routing\Annotation\Route;
use Symfony\Component\Security\Http\Authentication\AuthenticationUtils;
class SecurityController extends Controller
* #Route("/login", name="login")
public function login(Request $request, AuthenticationUtils $authenticationUtils)
// get the login error if there is one
$error = $authenticationUtils->getLastAuthenticationError();
// last username entered by the user
$lastUsername = $authenticationUtils->getLastUsername();
return $this->render('security/login.html.twig', array(
'last_username' => $lastUsername,
'error' => $error,
use App\Entity\User;
use App\Form\UserType;
use App\Repository\UserRepository;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Routing\Annotation\Route;
use Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface;
* #Route("/user")
class UserController extends Controller
* #Route("/", name="user_index", methods="GET")
public function index(UserRepository $userRepository): Response
return $this->render('user/index.html.twig', ['users' => $userRepository->findAll()]);
* #Route("/new", name="user_new", methods="GET|POST")
public function new(Request $request): Response
$user = new User();
$form = $this->createForm(UserType::class, $user);
if ($form->isSubmitted() && $form->isValid()) {
$em = $this->getDoctrine()->getManager();
return $this->redirectToRoute('user_index');
return $this->render('user/new.html.twig', [
'user' => $user,
'form' => $form->createView(),
* #Route("/{id}", name="user_show", methods="GET")
public function show(User $user): Response
return $this->render('user/show.html.twig', ['user' => $user]);
* #Route("/{id}/edit", name="user_edit", methods="GET|POST")
public function edit(Request $request, User $user): Response
$form = $this->createForm(UserType::class, $user);
if ($form->isSubmitted() && $form->isValid()) {
return $this->redirectToRoute('user_edit', ['id' => $user->getId()]);
return $this->render('user/edit.html.twig', [
'user' => $user,
'form' => $form->createView(),
* #Route("/{id}", name="user_delete", methods="DELETE")
public function delete(Request $request, User $user): Response
if ($this->isCsrfTokenValid('delete'.$user->getId(), $request->request->get('_token'))) {
$em = $this->getDoctrine()->getManager();
return $this->redirectToRoute('user_index');
public function register(User $user, UserPasswordEncoderInterface $encoder)
$plainPassword = $user->getPassword();
$encoded = $encoder->encodePassword($user, $plainPassword);
and my security.yaml
# https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
class: App\Entity\User
property: username
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
anonymous: ~
provider: db_provider
login_path: login
check_path: login
path: /logout
target: /homepage
pattern: ^/admin
http_basic: ~
algorithm: argon2i
# Easy way to control access for large sections of your site
# Note: Only the *first* access control that matches will be used
- { path: ^/admin, roles: ROLE_ADMIN }
I tried to add this after checking if for isSubmited and isValid in my UserController::new()
$plainPassword = $user->getPassword;
$encoded = $encoder->encodePassword($user, $plainPassword);
But I had an error Saying that the UserPasswordEncoderInterface $encoder I passed as method argument wasn't injected when loading the form. Still I'm not sure it would be a good solution to make it work as I would have to duplicate that logic in the UserController::edit(), which does not look like Symfony-like code.
(the error :)
"Controller "App\Controller\UserController::new()" requires that you provide a value for the "$encoder" argument. Either the argument is nullable and no null value has been provided, no default value has been provided or because there is a non optional argument after this one."
I also tried to copy/paste (that how desperate I am...) the code in my UserController and then the SecurityController but this didn't work either
public function register(UserPasswordEncoderInterface $encoder)
// whatever *your* User object is
$user = new App\Entity\User();
$plainPassword = 'ryanpass';
$encoded = $encoder->encodePassword($user, $plainPassword);
I'm getting this as log from the server :
"No encoder has been configured for account "App\Entity\User"."
I also tried to insert directly in my db some values, but trying to connect gave me a "Access Denied" message when entering the right password, which I think is another problem...
I really don't get where I'm wrong and I couldn't find people asking about this. I'd be sincerely grateful if you could help me.
Note :
The UserController routes start with /user and is completely public as I need a user to access secured admin panel.
I'm using MySQL 5.7 and PHP 7.2 if that can be related
Since you're using Argon2i as the encoder algorithm for your entity, your $salt becomes obsolete:
Do you need to use a Salt property?
If you use bcrypt or argon2i, no. Otherwise, yes. All passwords must be hashed with a salt, but bcrypt and argon2i do this internally [...] the getSalt() method in User can just return null (it's not used). [...]
-How to Load Security Users from the Database (the Entity Provider)
Try removing the $salt property and the setter method, and let your getSalt() return null. Persist the user without encoding operations and check the persisted password.
While this can be seen as a dirty hack, it seems to be a good practice...
I finnally found a solution thanks to #LeonWillens. Actually removing the salt property and setters made me discover that the security recipe come without the validator. So I ran composer require doctrine form security validator. I added a plainText field in my Entity which is not a column
* #Assert\NotBlank()
* #Assert\Length(max=4096)
private $plainPassword;
With that, I could add this logic in UserController::new()
* #Route("/new", name="user_new", methods="GET|POST")
public function new(Request $request, UserPasswordEncoderInterface $passwordEncoder): Response
$user = new User();
$form = $this->createForm(UserType::class, $user);
if ($form->isSubmitted() && $form->isValid()) {
$password = $passwordEncoder->encodePassword($user, $user->getPlainPassword());
$em = $this->getDoctrine()->getManager();
return $this->redirectToRoute('user_index');
return $this->render('user/new.html.twig', [
'user' => $user,
'form' => $form->createView(),
I change the encoders in my security.yaml
Symfony\Component\Security\Core\User\User: plaintext
algorithm: argon2i
And now adding a user work perfectly. I still have problems with connexion, but no such thing as an Exception thrown
I'm in trouble with authentication with symfony 4 on my first REST API.
The fact is my authentication succeed, and then my redirect URL is called, but the authentication token is lost during this redirection. I've also noticed that my serialize method is never called on my User Entity.
What I want is : When my Authentication is succeeded, then my profile page is called.
But with that code, all I get is a 302 redirection from profile, means that my authentication works, but the token was lost (if it exist, never seen it)
My only hints are :
Serialize method in User never called (is this important ?) EDIT : no because i need to be stateless, so remove those methods.
My Authentication works because if I make a mistake in credential I got a correct error.
Here is the code :
My Provider
declare(strict_types = 1);
namespace App\Api\Auth\Provider;
use App\Api\User\Entity\User;
use App\Api\User\Repository\UserRepository;
use App\Domain\User\ValueObject\Email;
use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface;
class AuthProvider implements UserProviderInterface
* #var \App\Api\User\Repository\UserRepository
private $userRepository;
* AuthProvider constructor.
* #param \App\Api\User\Repository\UserRepository $repository
public function __construct(UserRepository $repository)
$this->userRepository = $repository;
* #param string $email
* #return mixed
public function loadUserByUsername($email)
try {
$user = $this->userRepository->getUser($email);
} catch (UnsupportedUserException $e) {
throw new UsernameNotFoundException('User not found', 1001, $e);
return $user;
* #param \Symfony\Component\Security\Core\User\UserInterface | User $user
* #return mixed
public function refreshUser(UserInterface $user)
return $this->loadUserByUsername($user->getEmail());
* Qualify the supported class for this provider
* #param string $class
* #return string
public function supportsClass($class)
if (!$class instanceof User) {
throw new UnsupportedUserException(
sprintf('Entity given is not supported, expected User got %s', $class),
return $class;
My Guard :
declare(strict_types = 1);
namespace App\Api\Auth\Guard;
use App\Api\User\Repository\UserRepository;
use App\Domain\User\Exception\InvalidCredentialsException;
use App\Domain\User\ValueObject\Credentials;
use App\Domain\User\ValueObject\Email;
use App\Domain\User\ValueObject\HashedPassword;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface;
use Symfony\Component\Security\Guard\Authenticator\AbstractFormLoginAuthenticator;
* Allow the authentication by giving credential, when login process achieved and valid, profile page show up
* Class LoginAuthenticator
* #package App\Api\Auth\Guard
final class LoginAuthenticator extends AbstractFormLoginAuthenticator
const LOGIN = 'login';
const SUCCESS_REDIRECT = 'profile';
* #var \Symfony\Component\Routing\Generator\UrlGeneratorInterface
private $router;
* #var \App\Api\User\Repository\UserRepository
private $repository;
public function __construct(UrlGeneratorInterface $router, UserRepository $userRepository)
$this->router = $router;
$this->repository = $userRepository;
* This method will pass the returning array to getUser and getCredential methods automatically
* #param \Symfony\Component\HttpFoundation\Request $request
* #return array
public function getCredentials(Request $request)
return [
'email' => $request->get('email'),
'password' => $request->get('password')
* In the case or the Guard and the Authenticator is the same, this method is called just after getCredentials
* #param mixed $credentials
* #param \Symfony\Component\Security\Core\User\UserProviderInterface $userProvider
* #return null|\Symfony\Component\Security\Core\User\UserInterface|void
public function getUser($credentials, UserProviderInterface $userProvider): UserInterface
try {
$email = $credentials['email'];
$mail = Email::fromString($email);
$user = $userProvider->loadUserByUsername($mail->toString());
if ($user instanceof UserInterface) {
$this->checkCredentials($credentials, $user);
} catch (InvalidCredentialsException $exception) {
throw new AuthenticationException();
return $user;
* The ùail has been found, because a user has been identified, we take the has password we have to compare
* #param mixed $credentials
* #param \Symfony\Component\Security\Core\User\UserInterface $user
* #return bool
public function checkCredentials($credentials, UserInterface $user)
$mail = Email::fromString($credentials['email']);
$userCredentials = new Credentials($mail, HashedPassword::fromHash($user->getPassword()));
// Plain password compared
$match = $userCredentials->password->match($credentials['password']);
if (!$match) {
throw new InvalidCredentialsException();
return true;
* Called when authentication executed and was successful!
* This should return the Response sent back to the user, like a
* RedirectResponse to the last page they visited.
* If you return null, the current request will continue, and the user
* will be authenticated. This makes sense, for example, with an API.
* #param \Symfony\Component\HttpFoundation\Request $request
* #param \Symfony\Component\Security\Core\Authentication\Token\TokenInterface $token
* #param string $providerKey
* #return RedirectResponse
public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
return new RedirectResponse($this->router->generate(self::SUCCESS_REDIRECT));
protected function getLoginUrl(): string
return $this->router->generate(self::LOGIN);
* Does the authenticator support the given Request?
* If this returns false, the authenticator will be skipped.
* #param Request $request
* #return bool
public function supports(Request $request)
return $request->getPathInfo() === $this->router->generate(self::LOGIN) && $request->isMethod('POST');
My Security.yml
# https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
id: 'App\Api\Auth\Provider\AuthProvider'
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
stateless: true
anonymous: true
provider: users
entry_point: 'App\User\Auth\Guard\LoginAuthenticator'
- 'App\Api\Auth\Guard\LoginAuthenticator'
login_path: /sign-in
check_path: sign-in
path: /logout
target: /
pattern: ^/(/user/*|/api|)
stateless: true
- 'App\Api\Auth\Guard\LoginAuthenticator'
# Easy way to control access for large sections of your site
# Note: Only the *first* access control that matches will be used
- { path: ^/api, roles: USER }
- { path: ^/user/*, roles: USER }
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
My User entity
declare(strict_types = 1);
namespace App\Api\User\Entity;
use App\Domain\User\Repository\Interfaces\CRUDInterface;
use App\Shared\Entity\Traits\CreatedTrait;
use App\Shared\Entity\Traits\DeletedTrait;
use App\Shared\Entity\Traits\EntityNSTrait;
use App\Shared\Entity\Traits\IdTrait;
use Doctrine\ORM\Mapping as ORM;
use Symfony\Component\Security\Core\Encoder\EncoderAwareInterface;
use Symfony\Component\Security\Core\User\UserInterface;
* #ORM\Table(name="app_users")
* #ORM\Entity(repositoryClass="App\Api\User\Repository\UserRepository")
class User implements UserInterface, CRUDInterface, \Serializable, EncoderAwareInterface
use IdTrait;
use CreatedTrait;
use DeletedTrait;
use EntityNSTrait;
* #ORM\Column(type="string", length=25, unique=false, nullable=true)
private $username;
* #ORM\Column(type="string", length=64)
private $password;
* #ORM\Column(type="string", length=254, unique=true)
private $email;
* #return mixed
public function getEmail()
return $this->email;
* #param mixed $email
* #return User
public function setEmail($email)
$this->email = $email;
return $this;
public function __construct()
public function getUsername()
return $this->username;
public function getSalt()
// you *may* need a real salt depending on your encoder
// see section on salt below
return null;
public function getPassword()
return $this->password;
public function getRoles()
return array('USER');
* From UserInterface
public function eraseCredentials()
// Never used ?‡
/** #see \Serializable::serialize() */
public function serialize()
var_dump('need it'); // never called
return serialize([
// see section on salt below
// $this->salt,
/** #see \Serializable::unserialize() */
public function unserialize($serialized)
list (
// see section on salt below
// $this->salt
) = unserialize($serialized, ['allowed_classes' => false]);
* #param mixed $password
* #return User
public function setPassword($password)
$this->password = $password;
return $this;
* Gets the name of the encoder used to encode the password.
* If the method returns null, the standard way to retrieve the encoder
* will be used instead.
* #return string
public function getEncoderName()
return 'bcrypt';
It's my really first project on SF4, it's maybe a dumb mistake but can't find it.
EDIT : I tried to pass in security config the attribute stateless to false, my serialize method were called but then I have an access denied error on profile page.
I need to stay "stateless" but it may help you to find a solution.
A stateless firewall will never store the token in the session, so you have to pass the credentials for every request you make to the API.
Currently your guard class returns a redirect, so your authentication is lost due to symfony not storing the token for stateless firewalls. To solve this, you should return null in the method onAuthenticationSuccess instead of doing a redirect. This also means, that you should create a separate guard class for the API firewall.
You can also find a good guard example for APIs in the symfony docs: https://symfony.com/doc/current/security/guard_authentication.html#step-1-create-the-authenticator-class
I slightly misunderstood what you are trying to achieve. So it seems that you want to have a pure REST application with symfony and authenticate the user once where you then get back a token which can be used for future requests.
Some time ago I had the same issue and I stumbled over a very good bundle called LexikJWTAuthenticationBundle. This bundle gives you the necessary feature you need out of the box.
If you install it by following the Getting started documentation, you should have the basics for this.
Your configuration should then look something like this:
# https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
id: 'App\Api\Auth\Provider\AuthProvider'
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
pattern: ^/api/sign-in
stateless: true
anonymous: true
check_path: /api/login_check
username_parameter: email
password_parameter: password
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
require_previous_session: false
pattern: ^/(/user/*|/api|)
stateless: true
anonymous: true
- lexik_jwt_authentication.jwt_token_authenticator
# Easy way to control access for large sections of your site
# Note: Only the *first* access control that matches will be used
- { path: ^/api, roles: USER }
- { path: ^/user/*, roles: USER }
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
But don't forget to add the login_check route to your routes.yml
path: /api/login_check
If everything is setup correctly, you should now be able to retrieve a new token with the following request:
curl -X POST http://localhost/api/login_check -d _username=yourUsername -d _password=yourPassword
The token you received with this call should then be used for all future request to the API. You can pass it via the Authorization header
curl -H "Authorization: Bearer $YOUR_TOKEN" http://localhost/api/some-protected-route`
If you want to pass it differently (e.g. via query param) you have to change the configuration of this bundle:
enabled: true
name: auth
Now you could use https://localhost/api/some-protecte-route?auth=$YOUR_TOKEN instead.
For more information about this, take a look at the configuration reference of this bundle
I hope this helps a little bit to get you started with.
Iam using FOS User bundle to login in my site. For a requirement I need to make changes in the Fos user bundle user provider(
I have created a userProvider that extends the original userProvider in
FOS and have overridden the loadUserByUsername method to make my changes. It is given below
* This file is part of the FOSUserBundle package.
* (c) FriendsOfSymfony <http://friendsofsymfony.github.com/>
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
namespace Common\UtilityBundle\Security;
use Symfony\Component\Security\Core\User\UserProviderInterface;
use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
use Symfony\Component\Security\Core\User\UserInterface as SecurityUserInterface;
use FOS\UserBundle\Model\User;
use FOS\UserBundle\Model\UserInterface;
use FOS\UserBundle\Model\UserManagerInterface;
use FOS\UserBundle\Propel\User as PropelUser;
use FOS\UserBundle\Security\UserProvider as FOSProvider;
use Symfony\Component\DependencyInjection\ContainerInterface;
class UserProvider extends FOSProvider
* #var ContainerInterface
protected $container;
protected $userManager;
public function __construct(UserManagerInterface $userManager, ContainerInterface $container) {
$this->userManager = $userManager;
$this->container = $container;
* {#inheritDoc}
public function loadUserByUsername($username)
$user = $this->findUserUsername($username);
if (!$user) {
throw new UsernameNotFoundException(sprintf('Username "%s" does not exist.', $username));
return $user;
* {#inheritDoc}
public function refreshUser(SecurityUserInterface $user)
if (!$user instanceof User && !$user instanceof PropelUser) {
throw new UnsupportedUserException(sprintf('Expected an instance of FOS\UserBundle\Model\User, but got "%s".', get_class($user)));
if (!$this->supportsClass(get_class($user))) {
throw new UnsupportedUserException(sprintf('Expected an instance of %s, but got "%s".', $this->userManager->getClass(), get_class($user)));
if (null === $reloadedUser = $this->userManager->findUserBy(array('id' => $user->getId()))) {
throw new UsernameNotFoundException(sprintf('User with ID "%d" could not be reloaded.', $user->getId()));
return $reloadedUser;
* {#inheritDoc}
public function supportsClass($class)
$userClass = $this->userManager->getClass();
return $userClass === $class || is_subclass_of($class, $userClass);
* Finds a user by username.
* This method is meant to be an extension point for child classes.
* #param string $username
* #return UserInterface|null
protected function findUserUsername($username)
return $this->userManager->findUserByUsername($username);
* Finds a user by username.
* This method is meant to be an extension point for child classes.
* #param string $username
* #return UserInterface|null
protected function findUserClub($username, $club)
return $this->userManager->findUserByClub($club, $username);
I have configured the service with the following.
class: %Common_utility.security.user_provider.class%
- #fos_user.user_manager
- #service_container
My security.yml looks like this:
FOS\UserBundle\Model\UserInterface: sha512
id: fg.security.authentication.userprovider
In my parameter.yml, I set the argument as:
Common_utility.security.user_provider.class: Common\UtilityBundle\Security\UserProvider
But all the time Iam getting the error like below:
Uncaught exception
with message 'The service "security.authentication.manager" has a
dependency on a non-existent service
"security.user.provider.concrete.fos_userbundle".' in
Does anybody know how to get this working?
I am trying to configure my Symfony2.4 application to use a custom authenticator to check a database table to protect against brute force login attempts and I am running into a problem where when a user gives the correct credentials, they are re-directed back to the login screen instead of to their given URL. Here is my security.yml file:
Symfony\Component\Security\Core\User\User: plaintext
Acme\FakeBundle\Entity\User: sha512
Acme\FakeBundle\Entity\User: sha512
id: my_custom_user_provider
pattern: ^/(_(profiler|wdt)|css|images|js|media|img)/
security: false
pattern: ^(/register|/register/details|/register/success)$
security: false
pattern: ^(/login(?!_check$))|^(?!support).privacy|^(?!support).terms_and_conditions
security: false
pattern: ^/
authenticator: my_custom_authenticator
check_path: /login_check
login_path: /login
username_parameter: form[_username]
password_parameter: form[_password]
csrf_parameter: form[_token]
path: /logout
target: /login
- { path: ^/, roles: IS_AUTHENTICATED_FULLY, requires_channel: %force_channel% }
- { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel:%force_channel%}
Here is my custom User Provider:
namespace Acme\FakeBundle\Services;
use Doctrine\ORM\NoResultException;
use Acme\FakeBundle\Entity\User;
use Symfony\Component\DependencyInjection\ContainerInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface;
use Doctrine\ORM\EntityManager;
use Doctrine\ORM\EntityRepository;
class AcmeFakeUserProvider implements UserProviderInterface
* Holds the Doctrine entity manager for database interaction
* #var EntityManager
protected $em;
* Fake bundle User entity repository
* #var EntityRepository
protected $user_repo;
* Fake bundle FloodTableEntry repository
* #var EntityRepository
protected $flood_table_repo;
protected $container;
* #var \Symfony\Component\HttpFoundation\Request
protected $request;
public function __construct(EntityManager $em, ContainerInterface $container)
$this->em = $em;
$this->user_repo = $this->em->getRepository("AcmeFakeBundle:User");
$this->flood_table_repo = $this->em->getRepository('AcmeFakeBundle:FloodTableEntry');
$this->container = $container;
$this->request = $this->container->get('request');
* #return User
public function loadUserByUsername($username)
$q = $this->user_repo
->where('LOWER(u.username) = :username OR u.email = :email')
->setParameter('username', strtolower($username))
->setParameter('email', $username)
try {
* Verify that the user has not tried to log in more than 5 times in the last 5 minutes for
* the same username or from the same IP Address. If so, block them from logging in and notify
* them that they must wait a few minutes before trying again.
$qb2 = $this->flood_table_repo->createQueryBuilder('f');
$entries = $qb2
->where($qb2->expr()->eq('f.ipAddress', ':ipAddress'))
->andWhere($qb2->expr()->gte('f.attemptTime', ':fiveMinsAgo'))
'fiveMinsAgo' => date('o-m-d H:i:s',time() - 5 * 60),
'ipAddress' => $this->request->getClientIp(),
if (count($entries) >= 10) {
throw new AuthenticationException("Too many unsuccessful login attempts. Try again in a few minutes.");
// The Query::getSingleResult() method throws an exception
// if there is no record matching the criteria.
$user = $q->getSingleResult();
} catch (NoResultException $e) {
$message = sprintf(
'Unable to find an active admin AcmeFakeBundle:User object identified by "%s".',
throw new UsernameNotFoundException($message, 0, $e);
return $user;
* #return User
public function refreshUser(UserInterface $user)
$class = get_class($user);
if (!$this->supportsClass($class)) {
throw new UnsupportedUserException(
'Instances of "%s" are not supported.',
return $this->user_repo->find($user->getId());
public function supportsClass($class)
return 'Acme\FakeBundle\Entity\User' === $class
|| is_subclass_of($class, 'Acme\FakeBundle\Entity\User');
And finally, here is the custom authenticator:
namespace Acme\FakeBundle\Services;
use Acme\FakeBundle\Entity\User;
use Symfony\Component\DependencyInjection\ContainerInterface;
use Doctrine\ORM\EntityManager;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Security\Core\Authentication\SimpleFormAuthenticatorInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
use Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
use Symfony\Component\Security\Core\User\UserProviderInterface;
class AcmeFakeAuthenticator implements SimpleFormAuthenticatorInterface
private $container;
private $encoderFactory;
* #var \Acme\FakeBundle\Services\FloodTableManager
protected $floodManager;
* Holds the Doctrine entity manager for database interaction
* #var EntityManager
protected $em;
* #var \Symfony\Component\HttpFoundation\Request
protected $request;
public function __construct(ContainerInterface $container, EncoderFactoryInterface $encoderFactory)
$this->container = $container;
$this->encoderFactory = $encoderFactory;
$this->floodManager = $this->container->get('acme.fakebundle.floodtable');
$this->em = $this->container->get('doctrine.orm.fakebundle_entity_manager');
$this->request = $this->container->get('request');
public function createToken(Request $request, $username, $password, $providerKey)
return new UsernamePasswordToken($username, $password, $providerKey);
public function authenticateToken(TokenInterface $token, UserProviderInterface $userProvider, $providerKey)
try {
$user = $userProvider->loadUserByUsername($token->getUsername());
} catch (UsernameNotFoundException $e) {
$this->floodManager->addLoginFailureToFloodTable($token->getUsername(), $this->request->getClientIp());
throw new AuthenticationException('Invalid username or password');
$passwordValid = $this->encoderFactory
if ($passwordValid) {
// If User is not active, throw appropriate exception
$status = $user->getStatus();
if (!$status == User::USER_ACTIVE) {
// If User's account is waiting on available seats, print this message:
if ($status == User::USER_PENDING_SEAT) {
throw new AuthenticationException("Account pending activation");
} else {
// Otherwise, User's account is inactive, print this error message.
throw new AuthenticationException("Account inactive");
return new UsernamePasswordToken(
$this->floodManager->addLoginFailureToFloodTable($user->getUsername(), $this->request->getClientIp());
throw new AuthenticationException('Invalid username or password');
public function supportsToken(TokenInterface $token, $providerKey)
return $token instanceof UsernamePasswordToken && $token->getProviderKey() === $providerKey;
When a user gives incorrect login credentials it is handled correctly (i.e. the correct AuthenticationException is thrown with the correct message). However, as mentioned above, if the correct credentials are given then the user simply stays on the login page with no error message being shown.
I think I found the answer the problem is your regex in unsecured_area.^/login_(?!check$)
does match "login_check".the dollar sign should be after the parantheses as in (?!_check)$.What's currently happening is the login_check path falls under the unsecured_area firewall and the token isn't set for the context of Secured_area.Actually I don't think it's kept anywhere since security: false for unsecured_area.read up on the firewall context in http://symfony.com/doc/current/book/security.html#book-security-common-pitfalls