Security & Authorization

ADP captures authentication and authorization data from your application: user identity, roles, tokens, login/logout events, access decisions, and impersonation. The inspector also provides a live view of your security configuration.

AuthorizationCollector

AuthorizationCollectorAppDevPanel\Kernel\Collector\AuthorizationCollectorCaptures authentication and authorization data.final Kernel · class · implements SummaryCollectorInterface captures runtime security data. It implements SummaryCollectorInterfaceAppDevPanel\Kernel\Collector\SummaryCollectorInterfaceSummary data collector responsibility is to collect summary data for a collector. Summary is used to display a list of previous requests and select one to display full info. Its data set is specific to the list and is reduced compared to full data collected in {@see CollectorInterface}.Kernel · interface · extends CollectorInterface for summary display in the debug entry list.

Collected Data

Field	Type	Description
username	?string	Authenticated user identifier
roles	string[]	Assigned roles
effectiveRoles	string[]	Resolved roles (from hierarchy)
firewallName	?string	Active firewall/guard name
authenticated	bool	Whether the user is authenticated
token	?{type, attributes, expiresAt}	Auth token info (JWT, session, API key)
impersonation	?{originalUser, impersonatedUser}	User switching data
guards	array	Guard/firewall configurations
roleHierarchy	array<string, string[]>	Role inheritance map
authenticationEvents	array	Login, logout, failure events with timing
accessDecisions	array	Authorization checks with voters and results

Collection Methods

$collector->collectUser('admin@example.com', ['ROLE_ADMIN'], true);
$collector->collectFirewall('main');
$collector->collectToken('jwt', ['sub' => '123'], '2026-12-31T23:59:59Z');
$collector->collectImpersonation('admin', 'user@example.com');
$collector->collectGuard('web', 'users', ['driver' => 'session']);
$collector->collectRoleHierarchy(['ROLE_ADMIN' => ['ROLE_USER', 'ROLE_EDITOR']]);
$collector->collectEffectiveRoles(['ROLE_ADMIN', 'ROLE_USER', 'ROLE_EDITOR']);
$collector->collectAuthenticationEvent('login', 'form_login', 'success', ['ip' => '127.0.0.1']);
$collector->logAccessDecision('EDIT', 'App\\Entity\\Post', 'ACCESS_DENIED', $voters, 0.002, ['route' => '/admin']);

Adapter Wiring

Each adapter automatically feeds AuthorizationCollectorAppDevPanel\Kernel\Collector\AuthorizationCollectorCaptures authentication and authorization data.final Kernel · class · implements SummaryCollectorInterface from the framework's native auth system.

Symfony

AuthorizationSubscriberAppDevPanel\Adapter\Symfony\EventSubscriber\AuthorizationSubscriberListens to Symfony Security events and feeds AuthorizationCollector.final Adapter/Symfony · class · implements EventSubscriberInterface listens to Symfony Security events. Requires symfony/security-httpsymfony/security-httpView on Packagist.

Event	Data Captured
LoginSuccessEventSymfony\Component\Security\Http\Event\LoginSuccessEventDispatched after a successful authentication. Contains the authenticated token, request, and firewall name.Symfony · class	User identity, roles, firewall, token type, impersonation
LoginFailureEventSymfony\Component\Security\Http\Event\LoginFailureEventDispatched when authentication fails. Contains the authentication exception and request.Symfony · class	Failed auth event with exception details
LogoutEventSymfony\Component\Security\Http\Event\LogoutEventDispatched on user logout. Contains the request, response, and token.Symfony · class	Logout event
SwitchUserEventSymfony\Component\Security\Http\Event\SwitchUserEventDispatched when impersonation (user switching) occurs.Symfony · class	Impersonation data
VoteEventSymfony\Component\Security\Core\Event\VoteEventDispatched by the access decision manager for each voter's vote on an authorization check.Symfony · class	Access decisions with voter results

TIP

Enable in config/packages/app_dev_panel.yaml:

app_dev_panel:
    collectors:
        security: true

Laravel

AuthorizationListenerAppDevPanel\Adapter\Laravel\EventListener\AuthorizationListenerListens for Laravel Auth events and feeds AuthorizationCollector.final Adapter/Laravel · class listens to Laravel Auth events.

Event	Data Captured
AuthenticatedIlluminate\Auth\Events\AuthenticatedFired when a user is authenticated (on each request after session check).Laravel · class	User identity, guard name
LoginIlluminate\Auth\Events\LoginFired when a user logs in via credentials or remember token.Laravel · class	Login event, remember flag
LogoutIlluminate\Auth\Events\LogoutFired when a user logs out.Laravel · class	Logout event
FailedIlluminate\Auth\Events\FailedFired when an authentication attempt fails.Laravel · class	Failed auth with credential keys
OtherDeviceLogoutIlluminate\Auth\Events\OtherDeviceLogoutFired when sessions on other devices are invalidated.Laravel · class	Other device logout

Yii 2

AuthorizationListenerAppDevPanel\Adapter\Yii2\EventListener\AuthorizationListenerListens for Yii 2 User component events and feeds AuthorizationCollector.final Adapter/Yii2 · class hooks into Useryii\web\UserManages user authentication state. Provides login, logout, and identity management.Yii 2 · class events.

Event	Data Captured
User::EVENT_AFTER_LOGIN	User ID, duration, cookie-based flag
User::EVENT_AFTER_LOGOUT	Logout event with user ID
Application::EVENT_BEFORE_REQUEST	Current session user on each request

Yii 3

AuthorizationCollectorAppDevPanel\Kernel\Collector\AuthorizationCollectorCaptures authentication and authorization data.final Kernel · class · implements SummaryCollectorInterface is registered in DI but requires manual calls — Yii 3 has no standardized auth event system.

Authorization Inspector

The inspector provides a live view of security configuration via GET /inspect/api/authorization.

Response

{
  "guards": [
    {"name": "web", "provider": "users", "config": {"driver": "session"}}
  ],
  "roleHierarchy": {
    "ROLE_ADMIN": ["ROLE_USER", "ROLE_EDITOR"]
  },
  "voters": [
    {"name": "RoleVoter", "type": "voter", "priority": 255}
  ],
  "config": {
    "access_decision_manager": {"strategy": "affirmative"}
  }
}

Adapters implement AuthorizationConfigProviderInterface to supply this data. Default: NullAuthorizationConfigProviderAppDevPanel\Api\Inspector\Authorization\NullAuthorizationConfigProviderDefault no-op provider when no framework adapter supplies authorization config.final API · class · implements AuthorizationConfigProviderInterface (empty arrays).

Frontend

AuthorizationPanel (Debug)

Displays per-request security data in the debug view:

• User identity card (username, status, firewall, roles, effective roles, token)
• Impersonation banner (when active)
• Authentication events timeline (login, logout, failure)
• Access decisions table (expandable, shows voters and context)

AuthorizationPage (Inspector)

Located at /inspector/authorization. Displays live security configuration:

• Guards table (name, provider, config)
• Role hierarchy tree (role → inherited roles)
• Voters/policies table (name, type, priority)
• Security configuration JSON