access_control in Symfony3 doesn't work

Question

I use Symfony 3 and I have an issue when using access_control in the app/config/security.yml.

I installed FOSUserBundle and I discovered that the routes /login /resetting and /register are still available when the user has the role IS_AUTHENTICATED_ANONYMOUSLY. I use the basic configuration as it is explained in the documentation but it doesn't works :

access_control:
    - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/admin/, role: ROLE_ADMIN }

Is there any possibility that the error comes from another file ? I spent a week searching for an answer and I can't figure out where is the problem coming from. Also, I tried to reinstall Symfony on another project from scratch just to try with a fresh configuration and the same error occurs.

Thank you for your help !

Screenshot

Answer 1

By default, the routes /login, /resetting and /register will continue to be available even when logged in.

If you do not want this, you can do several things:

• override the FOSUserBundle:Security controller, and redirect somewhere when you are logged in.
• override the templates and do not display the form when you are already logged in

Answer 2

There are not any problems, it is quite normal that you accessed to these routes being authenticated or not :

IS_AUTHENTICATED_ANONYMOUSLY: All users (even anonymous ones) have this - this is useful when whitelisting URLs to guarantee access

This is the lowest level role.

But you can do this in your fonction that manages login if you want to be redirected to /admin when you want to access to /login being logged

if ($this->get('security.authorization_checker')->isGranted('ROLE_ADMIN')) {
   return $this->redirect($this->generateUrl('your_route_path_to_admin'));
}