Updated security/* articles to Symfony 4

Author: javiereguiluz

security/access_control.rst

@@ -44,7 +44,7 @@ Take the following ``access_control`` entries as an example:
 
     .. code-block:: xml
 
-        <!-- app/config/security.xml -->
+        <!-- config/packages/security.xml -->
         <?xml version="1.0" encoding="UTF-8"?>
         <srv:container xmlns="http://symfony.com/schema/dic/security"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -181,7 +181,7 @@ pattern so that it is only accessible by requests from the local server itself:
 
     .. code-block:: xml
 
-        <!-- app/config/security.xml -->
+        <!-- config/packages/security.xml -->
         <?xml version="1.0" encoding="UTF-8"?>
         <srv:container xmlns="http://symfony.com/schema/dic/security"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -308,7 +308,7 @@ the user will be redirected to ``https``:
 
     .. code-block:: xml
 
-        <!-- app/config/security.xml -->
+        <!-- config/packages/security.xml -->
         <?xml version="1.0" encoding="UTF-8"?>
         <srv:container xmlns="http://symfony.com/schema/dic/security"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

security/access_denied_handler.rst

@@ -48,6 +48,7 @@ configure it under your firewall:
 
     .. code-block:: xml
 
+        <!-- config/packages/security.xml -->
         <config>
             <firewall name="main">
                 <access_denied_handler>App\Security\AccessDeniedHandler</access_denied_handler>

security/api_key_authentication.rst

@@ -211,7 +211,7 @@ The ``$userProvider`` might look something like this::
 Next, make sure this class is registered as a service. If you're using the
 :ref:`default services.yaml configuration <service-container-services-load-example>`,
 that happens automatically. A little later, you'll reference this service in
-your :ref:`security.yml configuration <security-api-key-config>`.
+your :ref:`security.yaml configuration <security-api-key-config>`.
 
 .. note::
 
@@ -310,7 +310,7 @@ and ``provider`` keys:
 
     .. code-block:: xml
 
-        <!-- app/config/security.xml -->
+        <!-- config/packages/security.xml -->
         <?xml version="1.0" encoding="UTF-8"?>
         <srv:container xmlns="http://symfony.com/schema/dic/security"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -373,7 +373,7 @@ If you have defined ``access_control``, make sure to add a new entry:
 
     .. code-block:: xml
 
-        <!-- app/config/security.xml -->
+        <!-- config/packages/security.xml -->
         <?xml version="1.0" encoding="UTF-8"?>
         <srv:container xmlns="http://symfony.com/schema/dic/security"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -435,7 +435,7 @@ configuration or set it to ``false``:
 
     .. code-block:: xml
 
-        <!-- app/config/security.xml -->
+        <!-- config/packages/security.xml -->
         <?xml version="1.0" encoding="UTF-8"?>
         <srv:container xmlns="http://symfony.com/schema/dic/security"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

security/csrf_in_login_form.rst

@@ -23,14 +23,14 @@ file:
 
     .. code-block:: yaml
 
-        # app/config/config.yml
+        # config/packages/framework.yaml
         framework:
             # ...
-            csrf_protection: ~
+            csrf_protection: { enabled: true }
 
     .. code-block:: xml
 
-        <!-- app/config/config.xml -->
+        <!-- config/packages/framework.xml -->
         <?xml version="1.0" encoding="UTF-8" ?>
         <container xmlns="http://symfony.com/schema/dic/services"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -47,7 +47,7 @@ file:
 
     .. code-block:: php
 
-        // app/config/config.php
+        // config/packages/framework.php
         $container->loadFromExtension('framework', array(
             'csrf_protection' => null,
         ));
@@ -72,7 +72,7 @@ use the default provider available in the security component:
 
     .. code-block:: xml
 
-        <!-- app/config/security.xml -->
+        <!-- config/packages/security.xml -->
         <?xml version="1.0" encoding="UTF-8" ?>
         <srv:container xmlns="http://symfony.com/schema/dic/security"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -185,7 +185,7 @@ After this, you have protected your login form against CSRF attacks.
 
         .. code-block:: xml
 
-            <!-- app/config/security.xml -->
+            <!-- config/packages/security.xml -->
             <?xml version="1.0" encoding="UTF-8" ?>
             <srv:container xmlns="http://symfony.com/schema/dic/security"
                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

security/custom_authentication_provider.rst

@@ -255,13 +255,13 @@ the ``PasswordDigest`` header value matches with the user's password::
 
             // Try to fetch the cache item from pool
             $cacheItem = $this->cachePool->getItem(md5($nonce));
-            
+
             // Validate that the nonce is *not* in cache
             // if it is, this could be a replay attack
             if ($cacheItem->isHit()) {
                 throw new NonceExpiredException('Previously used nonce detected');
             }
-            
+
             // Store the item in cache for 5 minutes
             $cacheItem->set(null)->expiresAfter(300);
             $this->cachePool->save($cacheItem);

security/custom_password_authenticator.rst

@@ -131,10 +131,10 @@ inside of it.
 
 Inside this method, the password encoder is needed to check the password's validity::
 
-        $passwordValid = $this->encoder->isPasswordValid($user, $token->getCredentials());
+    $passwordValid = $this->encoder->isPasswordValid($user, $token->getCredentials());
 
 This is a service that is already available in Symfony and it uses the password algorithm
-that is configured in the security configuration (e.g. ``security.yml``) under
+that is configured in the security configuration (e.g. ``security.yaml``) under
 the ``encoders`` key. Below, you'll see how to inject that into the ``TimeAuthenticator``.
 
 .. _security-password-authenticator-config:
@@ -168,7 +168,7 @@ using the ``simple_form`` key:
 
     .. code-block:: xml
 
-        <!-- app/config/security.xml -->
+        <!-- config/packages/security.xml -->
         <?xml version="1.0" encoding="UTF-8"?>
         <srv:container xmlns="http://symfony.com/schema/dic/security"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

security/custom_provider.rst

@@ -174,11 +174,11 @@ Now you make the user provider available as a service. If you're using the
 :ref:`default services.yaml configuration <service-container-services-load-example>`,
 this happens automatically.
 
-Modify ``security.yml``
------------------------
+Modify ``security.yaml``
+------------------------
 
 Everything comes together in your security configuration. Add the user provider
-to the list of providers in the "security" section. Choose a name for the user provider
+to the list of providers in the "security" config. Choose a name for the user provider
 (e.g. "webservice") and mention the ``id`` of the service you just defined.
 
 .. configuration-block::
@@ -195,7 +195,7 @@ to the list of providers in the "security" section. Choose a name for the user p
 
     .. code-block:: xml
 
-        <!-- app/config/security.xml -->
+        <!-- config/packages/security.xml -->
         <?xml version="1.0" encoding="UTF-8"?>
         <srv:container xmlns="http://symfony.com/schema/dic/security"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -242,7 +242,7 @@ users, e.g. by filling in a login form. You can do this by adding a line to the
 
     .. code-block:: xml
 
-        <!-- app/config/security.xml -->
+        <!-- config/packages/security.xml -->
         <?xml version="1.0" encoding="UTF-8"?>
         <srv:container xmlns="http://symfony.com/schema/dic/security"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -282,7 +282,7 @@ is compared to the hashed password returned by your ``getPassword()`` method.
     Symfony uses a specific method to combine the salt and encode the password
     before comparing it to your encoded password. If ``getSalt()`` returns
     nothing, then the submitted password is simply encoded using the algorithm
-    you specify in ``security.yml``. If a salt *is* specified, then the following
+    you specify in ``security.yaml``. If a salt *is* specified, then the following
     value is created and *then* hashed via the algorithm::
 
         $password.'{'.$salt.'}'
@@ -312,7 +312,7 @@ is compared to the hashed password returned by your ``getPassword()`` method.
 
         .. code-block:: xml
 
-            <!-- app/config/security.xml -->
+            <!-- config/packages/security.xml -->
             <?xml version="1.0" encoding="UTF-8"?>
             <srv:container xmlns="http://symfony.com/schema/dic/security"
                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

security/entity_provider.rst

@@ -189,7 +189,7 @@ Want to know more? See :ref:`security-serialize-equatable`.
 ----------------------------------------------
 
 Now that you have a ``User`` entity that implements ``UserInterface``, you
-just need to tell Symfony's security system about it in ``security.yml``.
+just need to tell Symfony's security system about it in ``security.yaml``.
 
 In this example, the user will enter their username and password via HTTP
 basic authentication. Symfony will query for a ``User`` entity matching
@@ -452,7 +452,7 @@ interface only requires one method: ``loadUserByUsername($username)``::
     :doc:`mapping definition of your entity </doctrine/repository>`.
 
 To finish this, just remove the ``property`` key from the user provider in
-``security.yml``:
+``security.yaml``:
 
 .. configuration-block::
 

security/expressions.rst

@@ -15,7 +15,7 @@ accepts an :class:`Symfony\\Component\\ExpressionLanguage\\Expression` object::
     use Symfony\Component\ExpressionLanguage\Expression;
     // ...
 
-    public function indexAction()
+    public function index()
     {
         $this->denyAccessUnlessGranted(new Expression(
             '"ROLE_ADMIN" in roles or (user and user.isSuperAdmin())'
@@ -70,17 +70,20 @@ Additionally, you have access to a number of functions inside the expression:
     The ``is_remember_me()`` and ``is_authenticated_fully()`` functions are *similar*
     to using ``IS_AUTHENTICATED_REMEMBERED`` and ``IS_AUTHENTICATED_FULLY``
     with the ``isGranted()`` function - but they are **not** the same. The
-    following shows the difference::
+    following controller snippet shows the difference::
 
         use Symfony\Component\ExpressionLanguage\Expression;
+        use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
         // ...
 
-        $ac = $this->get('security.authorization_checker');
-        $access1 = $ac->isGranted('IS_AUTHENTICATED_REMEMBERED');
+        public function index(AuthorizationCheckerInterface $auth)
+        {
+            $access1 = $auth->isGranted('IS_AUTHENTICATED_REMEMBERED');
 
-        $access2 = $ac->isGranted(new Expression(
-            'is_remember_me() or is_fully_authenticated()'
-        ));
+            $access2 = $auth->isGranted(new Expression(
+                'is_remember_me() or is_fully_authenticated()'
+            ));
+        }
 
     Here, ``$access1`` and ``$access2`` will be the same value. Unlike the
     behavior of ``IS_AUTHENTICATED_REMEMBERED`` and ``IS_AUTHENTICATED_FULLY``,

security/firewall_restriction.rst

@@ -34,7 +34,7 @@ matches the configured ``pattern``.
 
     .. code-block:: xml
 
-        <!-- app/config/security.xml -->
+        <!-- config/packages/security.xml -->
         <?xml version="1.0" encoding="UTF-8"?>
         <srv:container xmlns="http://symfony.com/schema/dic/security"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -91,7 +91,7 @@ only initialize if the host from the request matches against the configuration.
 
     .. code-block:: xml
 
-        <!-- app/config/security.xml -->
+        <!-- config/packages/security.xml -->
         <?xml version="1.0" encoding="UTF-8"?>
         <srv:container xmlns="http://symfony.com/schema/dic/security"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
@@ -149,7 +149,7 @@ the provided HTTP methods.
 
     .. code-block:: xml
 
-        <!-- app/config/security.xml -->
+        <!-- config/packages/security.xml -->
         <?xml version="1.0" encoding="UTF-8"?>
         <srv:container xmlns="http://symfony.com/schema/dic/security"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"