You are browsing the documentation for Symfony 2.8 which is not maintained anymore.
Consider upgrading your projects to Symfony 5.2.
How to Choose the Password Encoder Algorithm Dynamically
How to Choose the Password Encoder Algorithm Dynamically¶
Usually, the same password encoder is used for all users by configuring it to apply to all instances of a specific class:
- YAML
1 2 3 4 5
# app/config/security.yml security: # ... encoders: Symfony\Component\Security\Core\User\User: sha512
- XML
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
<!-- app/config/security.xml --> <?xml version="1.0" encoding="UTF-8"?> <srv:container xmlns="http://symfony.com/schema/dic/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:srv="http://symfony.com/schema/dic/services" xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd" > <config> <!-- ... --> <encoder class="Symfony\Component\Security\Core\User\User" algorithm="sha512" /> </config> </srv:container>
- PHP
1 2 3 4 5 6 7 8 9 10 11
// app/config/security.php use Symfony\Component\Security\Core\User\User; $container->loadFromExtension('security', array( // ... 'encoders' => array( User::class => array( 'algorithm' => 'sha512', ), ), ));
Another option is to use a “named” encoder and then select which encoder you want to use dynamically.
In the previous example, you’ve set the sha512
algorithm for Acme\UserBundle\Entity\User
.
This may be secure enough for a regular user, but what if you want your admins
to have a stronger algorithm, for example bcrypt
. This can be done with
named encoders:
- YAML
1 2 3 4 5 6 7
# app/config/security.yml security: # ... encoders: harsh: algorithm: bcrypt cost: 15
- XML
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
<!-- app/config/security.xml --> <?xml version="1.0" encoding="UTF-8" ?> <srv:container xmlns="http://symfony.com/schema/dic/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:srv="http://symfony.com/schema/dic/services" xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd" > <config> <!-- ... --> <encoder class="harsh" algorithm="bcrypt" cost="15" /> </config> </srv:container>
- PHP
1 2 3 4 5 6 7 8 9 10
// app/config/security.php $container->loadFromExtension('security', array( // ... 'encoders' => array( 'harsh' => array( 'algorithm' => 'bcrypt', 'cost' => '15', ), ), ));
This creates an encoder named harsh
. In order for a User
instance
to use it, the class must implement
Symfony\Component\Security\Core\Encoder\EncoderAwareInterface
.
The interface requires one method - getEncoderName()
- which should return
the name of the encoder to use:
// src/Acme/UserBundle/Entity/User.php
namespace Acme\UserBundle\Entity;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\Encoder\EncoderAwareInterface;
class User implements UserInterface, EncoderAwareInterface
{
public function getEncoderName()
{
if ($this->isAdmin()) {
return 'harsh';
}
return null; // use the default encoder
}
}
If you created your own password encoder implementing the
Symfony\Component\Security\Core\Encoder\PasswordEncoderInterface
,
you must register a service for it in order to use it as a named encoder:
- YAML
1 2 3 4 5 6
# app/config/security.yml security: # ... encoders: app_encoder: id: 'app.password_encoder_service'
- XML
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
<!-- app/config/security.xml --> <?xml version="1.0" encoding="UTF-8" ?> <srv:container xmlns="http://symfony.com/schema/dic/security" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:srv="http://symfony.com/schema/dic/services" xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd" > <config> <!-- ... --> <encoder class="app_encoder" id="app.password_encoder_service" /> </config> </srv:container>
- PHP
1 2 3 4 5 6 7 8 9
// app/config/security.php $container->loadFromExtension('security', array( // ... 'encoders' => array( 'app_encoder' => array( 'id' => 'app.password_encoder_service', ), ), ));
This creates an encoder named app_encoder
from a service named
app.password_encoder_service
.
This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.