Use NullToken while checking authorization

This allows to e.g. have some objects that can be viewed by anyone (even unauthenticated users).

Author: wouterj

Authentication/AuthenticationTrustResolver.php

@@ -12,6 +12,7 @@
 namespace Symfony\Component\Security\Core\Authentication;
 
 use Symfony\Component\Security\Core\Authentication\Token\AnonymousToken;
+use Symfony\Component\Security\Core\Authentication\Token\NullToken;
 use Symfony\Component\Security\Core\Authentication\Token\RememberMeToken;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 
@@ -31,7 +32,7 @@ public function isAnonymous(TokenInterface $token = null)
             return false;
         }
 
-        return $token instanceof AnonymousToken;
+        return $token instanceof AnonymousToken || $token instanceof NullToken;
     }
 
     /**

Authentication/Token/NullToken.php

@@ -0,0 +1,105 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Authentication\Token;
+
+/**
+ * @author Wouter de Jong <[email protected]>
+ */
+class NullToken implements TokenInterface
+{
+    public function __toString(): string
+    {
+        return '';
+    }
+
+    public function getRoleNames(): array
+    {
+        return [];
+    }
+
+    public function getCredentials()
+    {
+        return '';
+    }
+
+    public function getUser()
+    {
+        return null;
+    }
+
+    public function setUser($user)
+    {
+        throw new \BadMethodCallException('Cannot set user on a NullToken.');
+    }
+
+    public function getUsername()
+    {
+        return '';
+    }
+
+    public function isAuthenticated()
+    {
+        return true;
+    }
+
+    public function setAuthenticated(bool $isAuthenticated)
+    {
+        throw new \BadMethodCallException('Cannot change authentication state of NullToken.');
+    }
+
+    public function eraseCredentials()
+    {
+    }
+
+    public function getAttributes()
+    {
+        return [];
+    }
+
+    public function setAttributes(array $attributes)
+    {
+        throw new \BadMethodCallException('Cannot set attributes of NullToken.');
+    }
+
+    public function hasAttribute(string $name)
+    {
+        return false;
+    }
+
+    public function getAttribute(string $name)
+    {
+        return null;
+    }
+
+    public function setAttribute(string $name, $value)
+    {
+        throw new \BadMethodCallException('Cannot add attribute to NullToken.');
+    }
+
+    public function __serialize(): array
+    {
+        return [];
+    }
+
+    public function __unserialize(array $data): void
+    {
+    }
+
+    public function serialize()
+    {
+        return '';
+    }
+
+    public function unserialize($serialized)
+    {
+    }
+}

Authorization/AuthorizationChecker.php

@@ -12,6 +12,7 @@
 namespace Symfony\Component\Security\Core\Authorization;
 
 use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
+use Symfony\Component\Security\Core\Authentication\Token\NullToken;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationCredentialsNotFoundException;
 
@@ -52,11 +53,11 @@ final public function isGranted($attribute, $subject = null): bool
                 throw new AuthenticationCredentialsNotFoundException('The token storage contains no authentication token. One possible reason may be that there is no firewall configured for this URL.');
             }
 
-            return false;
-        }
-
-        if ($this->alwaysAuthenticate || !$token->isAuthenticated()) {
-            $this->tokenStorage->setToken($token = $this->authenticationManager->authenticate($token));
+            $token = new NullToken();
+        } else {
+            if ($this->alwaysAuthenticate || !$token->isAuthenticated()) {
+                $this->tokenStorage->setToken($token = $this->authenticationManager->authenticate($token));
+            }
         }
 
         return $this->accessDecisionManager->decide($token, [$attribute], $subject);

Tests/Authorization/AuthorizationCheckerTest.php

@@ -12,6 +12,7 @@
 namespace Symfony\Component\Security\Core\Tests\Authorization;
 
 use PHPUnit\Framework\TestCase;
+use Symfony\Component\Security\Core\Authentication\Token\NullToken;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 use Symfony\Component\Security\Core\Authorization\AuthorizationChecker;
@@ -77,7 +78,13 @@ public function testVoteWithoutAuthenticationTokenAndExceptionOnNoTokenIsFalse()
     {
         $authorizationChecker = new AuthorizationChecker($this->tokenStorage, $this->authenticationManager, $this->accessDecisionManager, false, false);
 
-        $this->assertFalse($authorizationChecker->isGranted('ROLE_FOO'));
+        $this->accessDecisionManager
+            ->expects($this->once())
+            ->method('decide')
+            ->with($this->isInstanceOf(NullToken::class))
+            ->willReturn(true);
+
+        $this->assertTrue($authorizationChecker->isGranted('ANONYMOUS'));
     }
 
     /**