Table Of Contents


You can obtain free community support for example through stackoverflow, or also through the Symfony2 mailing list.

If you think you found a bug, please create a ticket in the bug tracker.

Continuous Inspections

If you take code quality seriously, try out the new continuous inspection service.


Method Security Authorization

Securing methods allows for the most fine-grained access control that Symfony2 has to offer.

Generally, you can secure all public, or protected methods which are non-static, and non-final. Private methods cannot be secured. You can also add metadata for abstract methods, or interfaces which will then be applied to their concrete implementations automatically.

Access Control via DI configuration

You can specify access control expressions in the DI configuration:

# config.yml
        ':loginAction$': 'isAnonymous()'
        'AcmeFooBundle:.*:deleteAction': 'hasRole("ROLE_ADMIN")'
        '^MyNamespace\\MyService::foo$': 'hasPermission(#user, "VIEW")'

The pattern is a case-sensitive regular expression which is matched against two notations. The first match is being used.

First, your pattern is matched against the notation for non-service controllers. This obviously is only done if your class is actually a controller, e.g. AcmeFooBundle:Add:new for a controller named AddController and a method named newAction in a sub-namespace Controller in a bundle named AcmeFooBundle.

Last, your pattern is matched against the concatenation of the class name, and the method name that is being called, e.g. My\Fully\Qualified\ClassName::myMethodName.

Note: If you would like to secure non-service controllers, the JMSDiExtraBundle must be installed.

Note 2: When using a Fully Qualified Class Name, you have to escape backslashes as in the example above.

Access Control via Annotations

If you like to secure a service with annotations, you need to enable annotation configuration for this service:

        class: Bar
        tags: [ { name: "security.secure_service" } ]
<service id="foo" class="Bar">
    <tag name="security.secure_service"/>

In case, you like to configure all services via annotations, you can also set secure_all_services to true. Then, you do not need to add a tag for each service.