start_sf5_project/app/config/packages/security.yaml

security:
    encoders:
        # Our user class and the algorithm we'll use to encode passwords
        # 'auto' means to let Symfony choose the best possible password hasher (Argon2 or Bcrypt)
        # https://symfony.com/doc/current/security.html#c-encoding-passwords
        App\Entity\User: 'auto'

    providers:
        # https://symfony.com/doc/current/security/user_provider.html
        # In this example, users are stored via Doctrine in the database
        # To see the users at src/App/DataFixtures/ORM/LoadFixtures.php
        # To load users from somewhere else: https://symfony.com/doc/current/security/user_provider.html#creating-a-custom-user-provider
        database_users:
            entity: { class: App\Entity\User, property: username }

    # https://symfony.com/doc/current/security.html#a-authentication-firewalls
    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        main:
            # this firewall applies to all URLs
            pattern: ^/

            # but the firewall does not require login on every page
            # denying access is done in access_control or in your controllers
            anonymous: true
            lazy: true

            # The user provider to use.
            provider: database_users

            # This allows the user to login by submitting a username and password
            # Reference: https://symfony.com/doc/current/security/form_login_setup.html
            form_login:
                # The route name that the login form submits to
                check_path: security_login
                # The name of the route where the login form lives
                # When the user tries to access a protected page, they are redirected here
                login_path: security_login
                # Secure the login form against CSRF
                # Reference: https://symfony.com/doc/current/security/csrf.html#csrf-protection-in-login-forms
                csrf_token_generator: security.csrf.token_manager
                # The page users are redirect to when there is no previous page stored in the
                # session (for example when the users access directly to the login page).
                default_target_path: blog_index

            logout:
                # The route name the user can go to in order to logout
                path: security_logout
                # The name of the route to redirect to after logging out
                target: homepage

    # Easy way to control access for large sections of your site
    # Note: Only the *first* access control that matches will be used
    access_control:
        # this is a catch-all for the admin area
        # additional security lives in the controllers
        - { path: '^/(%app_locales%)/admin', roles: ROLE_ADMIN }

    role_hierarchy:
        ROLE_ADMIN: ROLE_USER