在身份验证之前侦听请求,或者在symfony3中重写/login_check [英] listen to request before authentication or rewrite /login_check in symfony3
问题描述
我正在尝试注册一个事件监听器,该监听器将在/login_check尝试登录用户之前被调用.
I'm trying to register an eventListener which would be called before the /login_check tries to login the user.
我正在编写DDoS保护,每次尝试都将iIlog登录到数据库中(日期,user_id,is_failure),如果用户有超过N次错误的登录尝试,则会生成通过电子邮件发送给正确的用户电子邮件的令牌.没有此令牌的任何人都将被禁止在10分钟内尝试再次登录.
I'm writing a DDoS protection, iIlog in database each try (date, user_id, is_failure), and if an user has more than N wrong attempts to login, I generate a token sent by email to the right user email. Anyone without this token will be forbidden to try another login during 10 minutes.
要继续,我需要:
- 能够在/login_check的开头注册一个eventListener
- 能够重写/login_check以添加事件
我没有发现有关"pre_authentication"的任何事件,您有解决方案吗?
I didn't find any event about "pre_authentication", do you have a solution ?
我不会在存储库方法中编写代码来吸引用户,这不是它的位置.
I won't write the code in a repository method to lad an user, it's not its place.
谢谢
推荐答案
几天前,我遇到了类似的问题.就像您说的那样,即使在尝试进行身份验证之前,我也都无法执行合适的"pre_authentication",这时我仍可以执行检查.(在我的情况下,不能选择AuthenticationSuccess和AuthenticationFailure Handler,因为我想在尝试之前就阻止尝试)
I had a similar problem a few days ago. And like you said i couldn't find a suitable "pre_authentication" either at which point i could execute my checks even before the authentication was attempted. (AuthenticationSuccess and AuthenticationFailure Handler weren't an option in my case since i wanted to block the attempt before it was even tried)
但是最后,我找到了一种适用于我的情况的方法(尽管可能有更好的方法,但我找不到它).
But in the end i found an approach that did work in my case (although there may be a better one but i couldn't find it).
如果您的应用程序使用默认的用户名/密码身份验证,则可以执行以下操作:
If your application is using the default username/password authentication you could do this:
-
扩展UsernamePasswordFormAuthenticationListener
Extend the UsernamePasswordFormAuthenticationListener
class UsernamePasswordFormAuthenticationListener extends \Symfony\Component\Security\Http\Firewall\UsernamePasswordFormAuthenticationListener
{
/** @var EntityManagerInterface */
protected $entityManager;
/**
* setter is called through DI container
*
* @param EntityManagerInterface $entityManager
*/
public function setEntityManager(EntityManagerInterface $entityManager)
{
$this->entityManager = $entityManager;
}
/**
*
* @param Request $request
*
* @return null|RedirectResponse|\Symfony\Component\HttpFoundation\Response|\Symfony\Component\Security\Core\Authentication\Token\TokenInterface
*/
protected function attemptAuthentication(Request $request)
{
//do your logic and whatnot here
// i.E. return a redirect repsonse if the token is needed but missing
return parent::attemptAuthentication($request);
}
}
覆盖您services.yml中的原始服务
Overwrite the original service in your services.yml
security.authentication.listener.form:
class: AppBundle\Listener\UsernamePasswordFormAuthenticationListener
parent: security.authentication.listener.abstract
abstract: true
calls: [ [setEntityManager, ["@doctrine.orm.entity_manager"]] ]
(此处使用setter注入是因为构造函数需要大量参数)
(Using setter injection here because the constructor needs like a ton of parameters)
也许这种方法可以满足您的需求,但是没有人有更好的主意
Maybe this approach could fit your needs and nobody has a better idea
这篇关于在身份验证之前侦听请求,或者在symfony3中重写/login_check的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!