Symfony 2 SecurityContext class deprecated

Question

I get the following error when I try to reach app/example on symfony demo

Error: The Symfony\\Component\\Security\\Core\\SecurityContext class is deprec

Answer 1

Explanation

Starting with Symfony 2.6 the SecurityContext got split into the TokenStorage and the AuthorizationChecker (see: Symfony Blog - "New in Symfony 2.6: Security component improvements").

The main reason for this was to prevent circular reference which occurred quite often when injecting the SecurityContext into your own services.

Solution

The change itself is 100% backwards compatible (as stated in the linked blog post), you just need to rewrite how you accessed the SecurityContext.

// Symfony 2.5
$user = $this->get('security.context')->getToken()->getUser();
// Symfony 2.6
$user = $this->get('security.token_storage')->getToken()->getUser();

// Symfony 2.5
if (false === $this->get('security.context')->isGranted('ROLE_ADMIN')) { ... }
// Symfony 2.6
if (false === $this->get('security.authorization_checker')->isGranted('ROLE_ADMIN')) { ... }

You can simply try to find the culprit by doing a text-search for security.context or SecurityContext in your source code (including the vendor directory).

But as you stated that you're using vanilla Symfony 2.6 it seems that it simply uses some soon to be deprecated methods. So you might simply use this...

Workaround

As Symfony does it's deprecation by triggering E_USER_DEPRECATED errors, you can simply disable them when booting your Symfony AppKernel:

// app/AppKernel.php
class AppKernel extends Kernel
{
    public function __construct($environment, $debug) {
        // Keep error reporting like it was and disable only deprecation warnings.
        error_reporting(error_reporting() & (-1 ^ E_DEPRECATED));
        // ...
    }
}

I personally like the deprecation warnings, because Symfony's changelogs tend to give very detailed information on how you need to change your code to support future versions of Symfony and the deprecation warnings normally are triggered months before the methods are actually deprecated.

Answer 2

It's not a proper error, just a warning.

A deprecated class is a class that is planned to be removed in future releases (of Symfony, in this case).

It suggest you to stop using it, and points you to the newer (and substitutes) class, TokenStorage and AuthorizationChecker, that will take completly over to do the same tasks.

Answer 3

It gets so annoying to see that warning. At the same time you don't want to turn off the warnings. So I thought maybe it's useful to give an example of changing your code to get rid of it. Here's how I changed HWIOAuthBundle's OAuthUtils class to do so. First, I changed /vendor/hwi/oauth-bundle/HWI/Bundle/OAuthBundle/Resources/config/oauth.html from this:

<service id="hwi_oauth.security.oauth_utils" class="%hwi_oauth.security.oauth_utils.class%">
    <argument type="service" id="security.http_utils" />
    <argument type="service" id="security.context" />
    <argument>%hwi_oauth.connect%</argument>
</service>

to this:

<service id="hwi_oauth.security.oauth_utils" class="%hwi_oauth.security.oauth_utils.class%">
    <argument type="service" id="security.http_utils" />
    <argument type="service" id="security.authorization_checker" />
    <argument>%hwi_oauth.connect%</argument>
</service>

Now we have to change it in the /vendor/hwi/oauth-bundle/HWI/Bundle/OAuthBundle/Security/OAuthUtils class from this:

    use Symfony\Component\Security\Core\SecurityContextInterface;
    ...

    /**
     * @var SecurityContextInterface
     */
    private $securityContext;

    /**
     * @param HttpUtils                $httpUtils
     * @param SecurityContextInterface $securityContext
     * @param boolean                  $connect
     */
    public function __construct(HttpUtils $httpUtils, SecurityContextInterface $securityContext, $connect)
    {
        $this->httpUtils       = $httpUtils;
        $this->securityContext = $securityContext;
        $this->connect         = $connect;
    }

to this:

    use Symfony\Component\Security\Core\Authorization\AuthorizationChecker;
    ...

    /**
     * @var AuthorizationChecker
     */
    private $authorizationChecker;

    /**
     * @param HttpUtils                $httpUtils
     * @param AuthorizationChecker     $authorizationChecker
     * @param boolean                  $connect
     */
    public function __construct(HttpUtils $httpUtils, AuthorizationChecker $authorizationChecker, $connect)
    {
        $this->httpUtils            = $httpUtils;
        $this->authorizationChecker = $authorizationChecker;
        $this->connect              = $connect;
    }

Then I made changes where the securityContext was used. Replaced it with authorizationChecker.

    public function getAuthorizationUrl(Request $request, $name, $redirectUrl = null, array $extraParameters = array())
    {
        $resourceOwner = $this->getResourceOwner($name);
        if (null === $redirectUrl) {
            if (!$this->connect || !$this->authorizationChecker->isGranted('IS_AUTHENTICATED_REMEMBERED')) {
                $redirectUrl = $this->httpUtils->generateUri($request, $this->ownerMap->getResourceOwnerCheckPath($name));
            } else {
                $redirectUrl = $this->getServiceAuthUrl($request, $resourceOwner);
            }
        }

        return $resourceOwner->getAuthorizationUrl($redirectUrl, $extraParameters);
    }

The reason of replacing SecurityContext with AuthorizationChecker is because only isGranted method is used in this case. Maybe you could replace it with TokenStorage or use both AuthorizationChecker and TokenStorage if you needed for your case.