Extra authentication criteria

Question

I'm trying to implement an extra authentication layer with the purpose of authenticating the user only if he has a certain status. If the status is different, I want to show a custom login error (Your account has been suspended) and not authenticate the user at all, similar to what happens if the credentials are wrong, but with a different error message.

So far I've tried two options:

1. I've added a check within a listener that checks for an "InteractiveLoginEvent". Here I can check the user status and set a flash error message but I don't see what's the proper way to redirect back to the login page, since this event has no response method, other than using a header() call which I definitely want to avoid.

2. I implemented a custom voter, set the "access_decision_manager" startegy to "unanimous" and returned "ACCESS_DENIED" if the status is not allowing the user to authenticate. So far so good, the user cannot access the resources but I see he still gets authenticated. And I definitely don't want that.

I'm not for sure if I'm missing something or if I'm going in the wrong direction.

Answer 1

Since symfony 2 makes a clear difference between authentication and authorization seems that option 2) is related to authorization, so option 1) is more suitable.

So among the "InteractiveLoginEvent" listener I just added the proper check for the user status and by throwing the following exception I managed to implement my functionality as needed:

throw new AuthenticationException('suspend error message');

So the listener looks something like this:

public function onSecurityInteractiveLogin(InteractiveLoginEvent $event)
{        
    if ($this->securityContext->isGranted('ROLE_CUSTOMROLE')) {
        $user = $this->securityContext->getToken()->getUser();
        // ... check for the user status here

        throw new AuthenticationException('Your account has been suspended!');
    }
}