class Context (View source)

This is the default implementation of a security context, which holds current security information like roles oder details of authenticated users.

Constants

AUTHENTICATE_ANY_TOKEN

Authenticate as many tokens as possible but do not require an authenticated token (e.g. for guest users with role Neos.Flow:Everybody).

AUTHENTICATE_ONE_TOKEN

Stop authentication of tokens after first successful authentication of a token.

AUTHENTICATE_ALL_TOKENS

Authenticate all active tokens and throw an exception if an active token could not be authenticated.

AUTHENTICATE_AT_LEAST_ONE_TOKEN

Authenticate as many tokens as possible but do not fail if a token could not be authenticated and at least one token could be authenticated.

CSRF_ONE_PER_SESSION

Creates one csrf token per session

CSRF_ONE_PER_URI

Creates one csrf token per uri

CSRF_ONE_PER_REQUEST

Creates one csrf token per request

CONTEXT_HASH_UNINITIALIZED

If the security context isn't initialized (or authorization checks are disabled) this constant will be returned by getContextHash()

Properties

protected int $authenticationStrategy

One of the AUTHENTICATE_* constants to set the authentication strategy.

protected int $csrfProtectionStrategy

One of the CSRF_* constants to set the csrf protection strategy

protected array $tokenStatusLabels
protected bool $initialized

true if the context is initialized in the current request, false or NULL otherwise.

protected TokenInterface[] $activeTokens

Array of tokens currently active

protected TokenInterface[] $inactiveTokens

Array of tokens currently inactive

protected ActionRequest $request
protected Role[] $roles
protected bool $authorizationChecksDisabled

Whether authorization is disabled areAuthorizationChecksDisabled()

protected string $contextHash

A hash for this security context that is unique to the currently authenticated roles.

protected array $csrfTokensRemovedAfterCurrentRequest

CSRF tokens that are valid during this request but will be gone after.

protected string $requestCsrfToken

CSRF token created in the current request.

protected TokenAndProviderFactoryInterface $tokenAndProviderFactory
protected SessionManagerInterface $sessionManager
protected PsrSecurityLoggerInterface $securityLogger
protected PolicyService $policyService
protected ObjectManagerInterface $objectManager
protected array $globalObjects

Array of registered global objects that can be accessed as operands

Methods

void
withoutAuthorizationChecks(Closure $callback)

Lets you switch off authorization checks (CSRF token, policies, content security, ...) for the runtime of $callback

bool
areAuthorizationChecksDisabled()

Returns true if authorization should be ignored, otherwise false This is mainly useful to fetch records without Content Security to kick in (e.g. for AuthenticationProviders)

void
setRequest(ActionRequest $request)

Set the current action request

void
injectSettings(array $settings)

Injects the configuration settings

void
initialize()

Initializes the security context for the given request.

bool
isInitialized()

No description

int
getAuthenticationStrategy()

Get the token authentication strategy

getAuthenticationTokens()

Returns all Authentication\Tokens of the security context which are active for the current request. If a token has a request pattern that cannot match against the current request it is determined as not active.

getAuthenticationTokensOfType(string $className)

Returns all Authentication\Tokens of the security context which are active for the current request and of the given type. If a token has a request pattern that cannot match against the current request it is determined as not active.

Role[]
getRoles()

Returns the roles of all authenticated accounts, including inherited roles.

bool
hasRole(string $roleIdentifier)

Returns true, if at least one of the currently authenticated accounts holds a role with the given identifier, also recursively.

getAccount()

Returns the account of the first authenticated authentication token.

getAccountByAuthenticationProviderName(string $authenticationProviderName)

Returns an authenticated account for the given provider or NULL if no account was authenticated or no token was registered for the given authentication provider name.

string
getCsrfProtectionToken()

Returns the current CSRF protection token. A new one is created when needed, depending on the configured CSRF protection strategy.

bool
hasCsrfProtectionTokens()

Returns true if the context has CSRF protection tokens.

bool
isCsrfProtectionTokenValid(string $csrfToken)

Returns true if the given string is a valid CSRF protection token. The token will be removed if the configured csrf strategy is 'onePerUri'.

void
setInterceptedRequest(ActionRequest $interceptedRequest = null)

Sets an action request, to be stored for later resuming after it has been intercepted by a security exception.

getInterceptedRequest()

Returns the request, that has been stored for later resuming after it has been intercepted by a security exception, NULL if there is none.

void
clearContext()

Clears the security context.

array
array
collectParentRoles(Role $role)

No description

void
separateActiveAndInactiveTokens(array $tokens)

Stores all active tokens in $this->activeTokens, all others in $this->inactiveTokens

bool
isTokenActive(TokenInterface $token)

Evaluates any RequestPatterns of the given token to determine whether it is active for the current request

  • If no RequestPattern is configured for this token, it is active
  • Otherwise it is active only if at least one configured RequestPattern per type matches the request

array
mergeTokens(array $managerTokens, array $sessionTokens)

Merges the session and manager tokens. All manager tokens types will be in the result array If a specific type is found in the session this token replaces the one (of the same type) given by the manager.

findBestMatchingToken(TokenInterface $managerToken, array $sessionTokens)

Tries to find a token matchting the given manager token in the session tokens, will return that or the manager token.

void
updateTokens(array $tokens)

Updates the token credentials for all tokens in the given array.

void
refreshTokens()

Refreshes all active tokens by updating the credentials.

void
refreshRoles()

Refreshes the currently effective roles. In fact the roles first level cache is reset and the effective roles get recalculated by calling getRoles().

bool
canBeInitialized()

Check if the securityContext is ready to be initialized. Only after that security will be active.

string
getContextHash()

Returns a hash that is unique for the current context, depending on hash components, setContextHashComponent()

string
getSessionTagForAccount(Account $account)

returns the tag to use for sessions belonging to the given $account

void
destroySessionsForAccount(Account $account, string $reason = '')

destroys all sessions belonging to the given $account

Details

void withoutAuthorizationChecks(Closure $callback)

Lets you switch off authorization checks (CSRF token, policies, content security, ...) for the runtime of $callback

Usage: $this->securityContext->withoutAuthorizationChecks(function () use ($accountRepository, $username, $providerName, &$account) { // this will disable the PersistenceQueryRewritingAspect for this one call $account = $accountRepository->findActiveByAccountIdentifierAndAuthenticationProviderName($username, $providerName) });

Parameters

Closure $callback

Return Value

void

Exceptions

Exception

bool areAuthorizationChecksDisabled()

Returns true if authorization should be ignored, otherwise false This is mainly useful to fetch records without Content Security to kick in (e.g. for AuthenticationProviders)

Return Value

bool

See also

withoutAuthorizationChecks()

void setRequest(ActionRequest $request)

Set the current action request

This method is called manually by the request handler which created the HTTP request.

Parameters

ActionRequest $request

The current ActionRequest

Return Value

void

void injectSettings(array $settings)

Injects the configuration settings

Parameters

array $settings

Return Value

void

Exceptions

Exception

void initialize()

Initializes the security context for the given request.

Return Value

void

Exceptions

Exception

bool isInitialized()

No description

Return Value

bool

true if the Context is initialized, false otherwise.

int getAuthenticationStrategy()

Get the token authentication strategy

Return Value

int

One of the AUTHENTICATE_* constants

TokenInterface[] getAuthenticationTokens()

Returns all Authentication\Tokens of the security context which are active for the current request. If a token has a request pattern that cannot match against the current request it is determined as not active.

Return Value

TokenInterface[]

Array of set tokens

TokenInterface[] getAuthenticationTokensOfType(string $className)

Returns all Authentication\Tokens of the security context which are active for the current request and of the given type. If a token has a request pattern that cannot match against the current request it is determined as not active.

Parameters

string $className

The class name

Return Value

TokenInterface[]

Array of set tokens of the specified type

Role[] getRoles()

Returns the roles of all authenticated accounts, including inherited roles.

If no authenticated roles could be found the "Anonymous" role is returned.

The "Neos.Flow:Everybody" roles is always returned.

Return Value

Role[]

Exceptions

Exception
NoSuchRoleException

bool hasRole(string $roleIdentifier)

Returns true, if at least one of the currently authenticated accounts holds a role with the given identifier, also recursively.

Parameters

string $roleIdentifier

The string representation of the role to search for

Return Value

bool

true, if a role with the given string representation was found

Exceptions

Exception
NoSuchRoleException

Account getAccount()

Returns the account of the first authenticated authentication token.

Note: There might be a more currently authenticated account in the remaining tokens. If you need them you'll have to fetch them directly from the tokens. (getAuthenticationTokens())

Return Value

Account

The authenticated account

Account getAccountByAuthenticationProviderName(string $authenticationProviderName)

Returns an authenticated account for the given provider or NULL if no account was authenticated or no token was registered for the given authentication provider name.

Parameters

string $authenticationProviderName

Authentication provider name of the account to find

Return Value

Account

The authenticated account

string getCsrfProtectionToken()

Returns the current CSRF protection token. A new one is created when needed, depending on the configured CSRF protection strategy.

Return Value

string

bool hasCsrfProtectionTokens()

Returns true if the context has CSRF protection tokens.

Return Value

bool

true, if the token is valid. false otherwise.

bool isCsrfProtectionTokenValid(string $csrfToken)

Returns true if the given string is a valid CSRF protection token. The token will be removed if the configured csrf strategy is 'onePerUri'.

Parameters

string $csrfToken

The token string to be validated

Return Value

bool

true, if the token is valid. false otherwise.

Exceptions

Exception

void setInterceptedRequest(ActionRequest $interceptedRequest = null)

Sets an action request, to be stored for later resuming after it has been intercepted by a security exception.

Parameters

ActionRequest $interceptedRequest

Return Value

void

ActionRequest|null getInterceptedRequest()

Returns the request, that has been stored for later resuming after it has been intercepted by a security exception, NULL if there is none.

Return Value

ActionRequest|null

TODO: Revisit type (ActionRequest / HTTP request)

void clearContext()

Clears the security context.

Return Value

void

protected array collectRolesAndParentRolesFromAccount(Account $account)

No description

Parameters

Account $account

Return Value

array

protected array collectParentRoles(Role $role)

No description

Parameters

Role $role

Return Value

array

protected void separateActiveAndInactiveTokens(array $tokens)

Stores all active tokens in $this->activeTokens, all others in $this->inactiveTokens

Parameters

array $tokens

Return Value

void

protected bool isTokenActive(TokenInterface $token)

Evaluates any RequestPatterns of the given token to determine whether it is active for the current request

  • If no RequestPattern is configured for this token, it is active
  • Otherwise it is active only if at least one configured RequestPattern per type matches the request

Parameters

TokenInterface $token

Return Value

bool

true if the given token is active, otherwise false

protected array mergeTokens(array $managerTokens, array $sessionTokens)

Merges the session and manager tokens. All manager tokens types will be in the result array If a specific type is found in the session this token replaces the one (of the same type) given by the manager.

Parameters

array $managerTokens

Array of tokens provided by the authentication manager

array $sessionTokens

Array of tokens restored from the session

Return Value

array

Array of Authentication\TokenInterface objects

protected TokenInterface findBestMatchingToken(TokenInterface $managerToken, array $sessionTokens)

Tries to find a token matchting the given manager token in the session tokens, will return that or the manager token.

Parameters

TokenInterface $managerToken
array $sessionTokens

Return Value

TokenInterface

Exceptions

SessionNotStartedException

protected void updateTokens(array $tokens)

Updates the token credentials for all tokens in the given array.

Parameters

array $tokens

Array of authentication tokens the credentials should be updated for

Return Value

void

void refreshTokens()

Refreshes all active tokens by updating the credentials.

This is useful when doing an explicit authentication inside a request.

Return Value

void

void refreshRoles()

Refreshes the currently effective roles. In fact the roles first level cache is reset and the effective roles get recalculated by calling getRoles().

Return Value

void

bool canBeInitialized()

Check if the securityContext is ready to be initialized. Only after that security will be active.

To be able to initialize, there needs to be an ActionRequest available, usually that is provided by the MVC router.

Return Value

bool

string getContextHash()

Returns a hash that is unique for the current context, depending on hash components, setContextHashComponent()

Return Value

string

string getSessionTagForAccount(Account $account)

returns the tag to use for sessions belonging to the given $account

Parameters

Account $account

Return Value

string

void destroySessionsForAccount(Account $account, string $reason = '')

destroys all sessions belonging to the given $account

Parameters

Account $account
string $reason

Return Value

void