Symfony security

Updated: 09 February 2026

See https://symfonycasts.com/screencast/symfony-security/firewalls-authenticator
See https://symfony.com/doc/current/security/access_control.html

Notes

At the start of each request, before a Controller is called:

1. Security system executes a set of authenticators
2. Each authenticator looks at the request and checks for authentication information it understands e.g. submitted email and password, API key in a header, OAuth.
3. If the authenticator finds compatible credentials it uses them to query for a user and check the password.

At the start of each request, Symfony iterates over the set of firewalls. The active firewall becomes the first one with a pattern key matching the current URL. If a firewall has no pattern key it will match all requests. Firewall names have no meaning.

For each incoming request, Symfony checks each access_control entry to find one that matches the current request. As soon as it finds a matching access_control entry, it stops – only the first matching access_control is used to enforce access.