[Security] Fixed SwitchUserListener when exiting an impersonication with AnonymousToken

lyrixx · lyrixx · commit cdae16c3faa3 · 2016-04-03T22:28:33.000+02:00
If you configure a firewall with switch user with `role: IS_AUTHENTICATED_ANONYMOUSLY` it's impossible to exit the 
impersonation because the next line `$this-&gt;provider-&gt;refreshUser($original-&gt;getUser())` will fail. It fails because `RefreshUser`
expects an instance of `UserInterface` and here it's a string.

Therefore, it does not make sense to refresh an Anonymous Token, right ?
diff --git a/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php b/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php
@@ -22,6 +22,7 @@
 use Symfony\Component\HttpFoundation\RedirectResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Security\Core\Role\SwitchUserRole;
+use Symfony\Component\Security\Core\Authentication\Token\AnonymousToken;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 use Symfony\Component\Security\Core\Exception\AuthenticationCredentialsNotFoundException;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
@@ -162,7 +163,7 @@ private function attemptExitUser(Request $request)
             throw new AuthenticationCredentialsNotFoundException('Could not find original Token object.');
         }
 
-        if (null !== $this->dispatcher) {
+        if (null !== $this->dispatcher && !$original instanceof AnonymousToken) {
             $user = $this->provider->refreshUser($original->getUser());
             $switchEvent = new SwitchUserEvent($request, $user);
             $this->dispatcher->dispatch(SecurityEvents::SWITCH_USER, $switchEvent);
