app.user is not accessible from unsecured area

Question

How is it possible to get app.user from unsecure area?

So I have secured area which starts from ^/user.

But I need to display logout form on area which is accessible for everyone and not secured. How is this possible? My security.yml:

security:
    encoders:
        Symfony\Component\Security\Core\User\User: plaintext
        ###:
            algorithm: sha512
            encode-as-base64: true
            iterations: 10
        ###:
            algorithm: sha512
            encode-as-base64: true
            iterations: 10

    role_hierarchy:


    providers:
      admin:
        name: admin
        entity: { class: ###, property: login }
      user:
        name: user
        entity: { class: ###, property: login }        

    firewalls:
      admin:
        pattern: ^/admin
        form_login:
          login_path: ###_login
          check_path: ###_login_process
          default_target_path: /admin/dashboard
        anonymous: ~
        logout:
          path: /admin/logout
          target: /admin/login
        provider: admin
        remember_me:
            key:      "###"
            lifetime: 604800
            path:     /
            domain:   ~ 
      user:
        pattern: ^/user
        form_login:
          login_path: ###_login
          check_path: ###_login_process
          default_target_path: ###
        anonymous: ~
        logout:
          path: /user/logout
          target: /user/login
        provider: user
        remember_me:
            key:      "###"
            lifetime: 604800
            path:     /
            domain:   ~             


    access_control:        
        - { path: ^/admin/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/admin/, roles: ROLE_ADMIN }
        - { path: ^/user/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/user/, roles: ROLE_USER }                   

Answer 1

You can get app.user in some unsecured area because Symfony security relies on 2 different mechanisms: authentication and authorization.

Authentication is defined by firewalls. As soon as you get under a firewall, you get a token and eventually a app.user, even if it is anonymous.

Authorization is related to access_control rules. It is a second step, you can't put access control rules outside of a firewall. There you will deal with the ROLE requirement, in example if ROLE_ANONYMOUS is enoug, if you want ROLE_USER...

One more thing: to complexify a little further, a firewall can allow or disallow anonymous users. By default it is true, as it is required to have you login and login_check paths under yoru firewall though you cant' require there users to have a role other than ROLE_ANONYMOUS (if you do so, you will have an infinite loop).

Answer 2

Well I changed a little bit my security.yml. So currently everything works ok.

      user:
        pattern: ^/   


    access_control:
        - { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY } 
        ...

UPDATE 1

It seems that line in access_controll is not required. Moreover by some reason(might be cache) anonymoous users were accessing /user areas