symfony 3.4 “Refreshing a deauthenticated user is deprecated”

问题

while trying to upgrade existing symfony project from 3.3.10 to 3.4.x which should be LTS, I managed to upgrade components through composer. after upgrade all things works as expected, but unit tests shows deprecation error

Refreshing a deauthenticated user is deprecated as of 3.4 and will trigger a logout in 4.0: 77x

some googling around points me to the commits probably showing the change https://github.com/showpad/Symfony-Security/pull/1/commits/3663bbec5fc60565de476fc180f85e1121339072

so I tried to resolve it, and after digging in code I put a new setting into security.xml

         main:
+            logout_on_user_change: true
             anonymous: ~

this resolves a deprecation warning, but completely breakes the authentication using custom entity, user is not authenticated at all and log shows error:

[2017-12-07 15:48:24] security.DEBUG: Token was deauthenticated after trying to refresh it. {"username":"aaa","provider":"Symfony\\Bridge\\Doctrine\\Security\\User\\EntityUserProvider"} []

so the question is "how to properly resolve the deprecation issue" ?

回答1:

the problem of broken authentication 2017-12-07 15:48:24] security.DEBUG: Token was deauthenticated after trying to refresh it. {"username":"aaa","provider":"Symfony\\Bridge\\Doctrine\\Security\\User\\EntityUserProvider"} []

was, that I was not following the documentation https://symfony.com/doc/3.4/security/entity_provider.html#create-your-user-entity which says, that there should be also password field (I would not let symfony to put credentials on disk too many times). In symfony 3.3 it was ok, in symfony 3.4 the field must be present ...

diff --git a/src/GuserBundle/Entity/User.php b/src/GuserBundle/Entity/User.php
index 4adeaf9..b1b33fd 100644
--- a/src/GuserBundle/Entity/User.php
+++ b/src/GuserBundle/Entity/User.php
@@ -152,13 +152,13 @@ class User implements AdvancedUserInterface, \Serializable {
        /** @see \Serializable::serialize() */
        public function serialize() {
-               return serialize(array($this->id, $this->username, $this->active,));
+               return serialize(array($this->id, $this->username, $this->password, $this->active, $this->locked));
        }
        /** @see \Serializable::unserialize() */
        public function unserialize($serialized) {
-               list($this->id, $this->username, $this->active,) = unserialize($serialized);
+               list($this->id, $this->username, $this->password, $this->active, $this->locked) = unserialize($serialized);
        }

来源：https://stackoverflow.com/questions/47698006/symfony-3-4-refreshing-a-deauthenticated-user-is-deprecated