Let’s display the profiler for a request matching a lone lazy firewall:

firewalls:
    main:
        lazy: true

Since no channel is forced, we know the ChannelListener did not run. To make it more obvious, this PR displays (none) instead of 0.00 ms when the duration is null (which will happen once #57369 is merged).

Before

After

But what about the ContextListener? Since the firewall is stateful we know it ran, yet its displayed duration also is 0.00 ms.
Turns out that because the firewall is lazy, the ContextListener ran way past the moment the TraceableFirewallListener stored its data. In fact, it may be the SecurityDataCollector itself which trigger it by accessing the security token. This PR makes the TraceableFirewallListener fetch data only when needed, so that they’re up-to-date when the SecurityDataCollector asks for them.

Before

After

Now, let’s add a global access control so that the AccessListener can do its job:

access_control:
    - { roles: ROLE_USER }

The profiler then says no security listeners have been recorded 🤔

This is because the AccessListener let the ExceptionListener work out a response by throwing AccessDeniedExceptions. When this happens, the TraceableFirewallListener is cut short before it can store the data it needs (note that it also impacts non-lazy firewalls, but past listeners would then be recorded).

This PR stores these data before listeners are called, so that they are available even if one of them throws (this includes authenticators’ data which suffer from the same issue).

Before

After

(Other listeners are hidden on this screenshot but they would be displayed in the profiler.)