well, your rest_api firewall will never be used, as it is after the main firewall which will always match. This means that your API is secured through the stateful form_login auth, not through http_basic.
firewalls:
rest_api:
pattern: ^/api/
stateless: true
http_basic:
provider: fos_userbundle
main:
pattern: ^/
form_login:
provider: fos_userbundle
remember_me: true
login_path: /login
check_path: /login_check
default_target_path: minn_ads_default_index
csrf_provider: form.csrf_provider
remember_me:
key: %secret%
access_control:
# ...
- { path: ^/api/, role: IS_AUTHENTICATED_FULLY }