- Remove the
Security
class, useSymfony\Bundle\SecurityBundle\Security
instead - Require explicit argument when calling
TokenStorage::setToken()
- Change argument
$lastUsed
ofTokenProviderInterface::updateToken()
to acceptDateTimeInterface
- Make
PersistentToken
immutable - Deprecate accepting only
DateTime
forTokenProviderInterface::updateToken()
, useDateTimeInterface
instead
- Add
AttributesBasedUserProviderInterface
to allow$attributes
optional argument onloadUserByIdentifier
- Add
OidcUser
with OIDC support forOidcUserInfoTokenHandler
- Deprecate the
Security
class, useSymfony\Bundle\SecurityBundle\Security
instead - Change the signature of
TokenStorageInterface::setToken()
tosetToken(?TokenInterface $token)
- Deprecate calling
TokenStorage::setToken()
without arguments - Add a
ChainUserChecker
to allow calling multiple user checkers for a firewall
TokenInterface
does not extendSerializable
anymore- Remove all classes in the
Core\Encoder\
sub-namespace, use thePasswordHasher
component instead - Remove methods
getPassword()
andgetSalt()
fromUserInterface
, usePasswordAuthenticatedUserInterface
orLegacyPasswordAuthenticatedUserInterface
instead AccessDecisionManager
requires the strategy to be passed as in instance ofAccessDecisionStrategyInterface
- [BC BREAK]
AccessDecisionStrategyTestCase::provideStrategyTests()
is now static
- Add a
CacheableVoterInterface
for voters that vote only on identified attributes and subjects - Deprecate
AuthenticationEvents::AUTHENTICATION_FAILURE
, use theLoginFailureEvent
instead - Deprecate
AnonymousToken
, as the related authenticator was deprecated in 5.3 - Deprecate
Token::getCredentials()
, tokens should no longer contain credentials (as they represent authenticated sessions) - Deprecate returning
string|\Stringable
fromToken::getUser()
(it must return aUserInterface
) - Deprecate
AuthenticatedVoter::IS_AUTHENTICATED_ANONYMOUSLY
andAuthenticatedVoter::IS_ANONYMOUS
, useAuthenticatedVoter::IS_AUTHENTICATED_FULLY
orAuthenticatedVoter::IS_AUTHENTICATED
instead. - Deprecate
AuthenticationTrustResolverInterface::isAnonymous()
and theis_anonymous()
expression function as anonymous no longer exists in version 6, use theisFullFledged()
or the newisAuthenticated()
instead if you want to check if the request is (fully) authenticated. - Deprecate the
$authenticationManager
argument of theAuthorizationChecker
constructor - Deprecate setting the
$alwaysAuthenticate
argument totrue
and not setting the$exceptionOnNoToken
argument tofalse
ofAuthorizationChecker
- Deprecate methods
TokenInterface::isAuthenticated()
andsetAuthenticated
, return null from "getUser()" instead when a token is not authenticated - Add
AccessDecisionStrategyInterface
to allow custom access decision strategies - Add access decision strategies
AffirmativeStrategy
,ConsensusStrategy
,PriorityStrategy
,UnanimousStrategy
- Deprecate passing the strategy as string to
AccessDecisionManager
, pass an instance ofAccessDecisionStrategyInterface
instead - Flag
AccessDecisionManager
as@final
The CHANGELOG for version 5.3 and earlier can be found at https://github.com/symfony/symfony/blob/5.3/src/Symfony/Component/Security/CHANGELOG.md