Security: Firewalls
Firewalls define authentication boundaries — which routes need a logged-in user and how that user authenticates.
- Configured in `config/packages/security.yaml` under `firewalls`. Each firewall has a path pattern and one or more authenticators.
- Authenticators: form_login, http_basic, json_login, login_link, custom (extend `AbstractAuthenticator`).
- Match order matters — Symfony picks the first firewall whose `pattern` matches the request URL.
- Stateless firewalls (`stateless: true`) skip session storage — use for APIs with token auth.
- `access_control` rules are coarse path-based role checks, applied after authentication.
- `security` controls who you are; `access_control` and voters control what you can do.
Common gotchas
- The `dev` firewall (debug toolbar paths) must come first or it gets matched by your main firewall and breaks the profiler.
- `logout` is configured per-firewall and fires the `LogoutEvent` — use it for session cleanup.