@scheb Do you think you can work on this one soon? We are closing 5.4 for new features.

I got time this weekend!

My suggestion would be to combine adding the new methods (as discussed here) with the changes from #43548 and target 5.4. With new methods added and the existing method becoming deprecated, it should be possible to do it all at once within the 5.4 release.

Force-pushed a draft to deprecate getListeners method and add getFirewallListeners and getExceptionListener as a replacement. Didn't touch the tests yet, would like to get some feedback first if this would be the way to go.

Considerations:

• Wasn't sure of constructor arguments need to be kept backwards compatible. Since FirewallContext and LazyFirewallContext are somewhat internal to security-bundle, I went with changing them.
• Came to the conclusion that deprecation and [Security] Remove sorting of security listeners at runtime from Firewall #43548 can't be done both in 5.4, because there's no guarantee the new methods are actually implemented by the user.

would like to get some feedback first if this would be the way to go.

To me it is, yes 👍 .

Wasn't sure of constructor arguments need to be kept backwards compatible. Since FirewallContext and LazyFirewallContext are somewhat internal to security-bundle, I went with changing them.

We cannot remove them as these classes are not marked as internal. We need to deprecate these constructor parameters first (happy to help with the BC layer.)

Came to the conclusion that deprecation and [Security] Remove sorting of security listeners at runtime from Firewall #43548 can't be done both in 5.4, because there's no guarantee the new methods are actually implemented by the user.

Indeed.

We cannot remove them as these classes are not marked as internal. We need to deprecate these constructor parameters first (happy to help with the BC layer.)

@chalasr Ok, that was what I was afraid of 😟. For derprecating arguments at the end of the argument list it's easy, make it optional and trigger deprecation warning when it's set. Though for arguments in between I'm not really sure how to proceed. Can you point me to an example how to approach this? We could also have a chat on Slack, since that works better for back and forth comms.

Though for arguments in between I'm not really sure how to proceed. Can you point me to an example how to approach this?

See e.g:

Basically:

• Update the argument list to match the new signature
• Remove all type hints from the removed argument to the end of the argument list
• Check one instanceof to see if the old or new signature is used, and activate the BC layer when necessary

So here's a suggestion. The fabbot.io failing seems to be unrelated to my changes.

Considerations:

• The fact that $listeners is an iterable makes things messy when trying to ensure the LogoutListener is contained, since it can be either an array or a (lazy-loaded) iterator. Tried to not mess up the lazy-loading iterators.
• LazyFirewallContext extending the constructor makes things complicated. Decided to just get the argument that matters for that class (the $tokenStorage) from the constructor arguments and push other responsibilities down to be handled in the FirewallContext superclass.

Let me close here as I think that while cleanups are welcome, this one is hard (with BC implications) for little practical benefit. 3 years passed also :)