FOSUserBundle allowing 'Anon' user to access `/admin`

Question

I am using the FOSUserBundle and am successfully creating users in my database. However, I'm trying to log users in and only have ROLE_ADMIN users access /admin by following the Symfony security walk-through.

However, even without having figured out logging users in, when I try to access localhost/app_dev.php/admin I am able to access it as the "Anon" user. Below are my security.yml and controller files:

app/config/security.yml

security:
    encoders:
        FOS\UserBundle\Model\UserInterface: bcrypt

    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: ROLE_ADMIN

    providers:
        fos_userbundle:
            id: fos_user.user_provider.username

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                csrf_provider: security.csrf.token_manager 

            logout:       true
            anonymous:    true

    access_control:
        - { path: ^/admin/, role: ROLE_ADMIN }

src/AppBundle/Controller/DefaultController.php

class DefaultController extends Controller
{
    /**
     * @Route("/admin", name="admin")
     */
    public function AdminAction(Request $request)
    {
        return $this->render('default/admin.html.twig', array(
            'title' => 'Welcome Admin!!'
        ));
    }
}

Answer 1

I'm not familiar with FOSUserBundle however your access_control entry is for the path /admin/ - note the trailing slash whereas your example localhost/app_dev.php/admin doesn't. If you remove that from your access_control entry or change your routes then this should work as expected.

E.g.

access_control:
    - { path: ^/admin, role: ROLE_ADMIN }