security: encoders: # Our user class and the algorithm we'll use to encode passwords # 'auto' means to let Symfony choose the best possible password hasher (Argon2 or Bcrypt) # https://symfony.com/doc/current/security.html#c-encoding-passwords App\Entity\User: 'auto' providers: # https://symfony.com/doc/current/security/user_provider.html # In this example, users are stored via Doctrine in the database # To see the users at src/App/DataFixtures/ORM/LoadFixtures.php # To load users from somewhere else: https://symfony.com/doc/current/security/user_provider.html#creating-a-custom-user-provider database_users: entity: { class: App\Entity\User, property: username } # https://symfony.com/doc/current/security.html#a-authentication-firewalls firewalls: dev: pattern: ^/(_(profiler|wdt)|css|images|js)/ security: false main: # this firewall applies to all URLs pattern: ^/ # but the firewall does not require login on every page # denying access is done in access_control or in your controllers anonymous: true lazy: true # The user provider to use. provider: database_users # This allows the user to login by submitting a username and password # Reference: https://symfony.com/doc/current/security/form_login_setup.html form_login: # The route name that the login form submits to check_path: security_login # The name of the route where the login form lives # When the user tries to access a protected page, they are redirected here login_path: security_login # Secure the login form against CSRF # Reference: https://symfony.com/doc/current/security/csrf.html#csrf-protection-in-login-forms csrf_token_generator: security.csrf.token_manager # The page users are redirect to when there is no previous page stored in the # session (for example when the users access directly to the login page). default_target_path: blog_index logout: # The route name the user can go to in order to logout path: security_logout # The name of the route to redirect to after logging out target: homepage # Easy way to control access for large sections of your site # Note: Only the *first* access control that matches will be used access_control: # this is a catch-all for the admin area # additional security lives in the controllers - { path: '^/(%app_locales%)/admin', roles: ROLE_ADMIN } role_hierarchy: ROLE_ADMIN: ROLE_USER