Symfony2 access control redirects to login

Question

In an application I am developing, I'm having a weird issue with the access control for the security component.

I use the FOSUserBundle (of course) for users and I copied the example access control rules from the bundle documentation to my security.yml The login screen (/login) works perfectly but the issue is, all other access control rules have absolutely no effect whatsoever. When a user goes to /register for example, he is redirected to /login, the same goes for /resetting.

This is my security.yml file:

jms_security_extra:
    secure_all_services: false
    expressions: true

security:
    encoders:
        FOS\UserBundle\Model\UserInterface: sha512

    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: ROLE_ADMIN

    providers:
        fos_userbundle:
            id: fos_user.user_provider.username_email

    firewalls:
        dev:
            pattern:  ^/(\_(profiler|wdt)|css|images|js)/
            security: false

        api:
            pattern: ^/api
            anonymous: false
            form_login: false
            provider: fos_userbundle
            http_basic:
                realm: "REST Service Realm"

        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                csrf_provider: form.csrf_provider
            logout:       true
            anonymous:    ~
            switch_user:  { role: ROLE_SUPER_ADMIN, parameter: _impersonate }

    access_control:
        - { path: ^/login, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/superadmin/, role: ROLE_SUPER_ADMIN }

I have tried to turn of security for paths containing /resetting and /register, but that clearly won't work since the security token still needs to be available for the FOSUserBundle controllers.

Any help would be much appreciated!

Answer 1

The problem was that another bundle was messing with each request checking if the user was logged in or not. If the user wasn't logged in, a redirect response was generated to the login page.

No idea why this was done, I think it comes from an era where the original authors had less experience with Symfony.

But so it proves again, always check the logs. Very thoroughly.

Answer 2

It might be to do with the order of the access_control, try putting superadmin above the others. You also don't seem to have a secured_area section (like this example from Symfony2 access control redirects to login)

security:
    firewalls:
        secured_area:
            pattern:   ^/
            anonymous: ~
            form_login:
                login_path: login
                check_path: login_check