Exactly what you wrote: If your path is not under firewall, credential information aren't available there because firewall won't cover them.
In your specific case, you will have access to credential information only on routes that start with /cp
. What you probably want to do is define firewall pattern as ^/
. So that your firewall covers all paths on your website, and then use access_control
or whatever method you use to check access permissions for specific page.