Master Symfony2 fundamentals

Be trained by SensioLabs experts (2 to 6 day sessions -- French or English).

Discover the SensioLabs Support

Access to the SensioLabs Competency Center for an exclusive and tailor-made support on Symfony

Fabien Potencier
New in Symfony 2.5: Create the Correct Denied HTTP Exception
by Fabien Potencier – February 05, 2014 – 7 comments

Contributed by
Klaus Silveira
in #9405.

Do you know the difference between Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException and Symfony\Component\Security\Core\Exception\AccessDeniedException?

Their names look very similar and both deal with resources for which the user does not have access. But which one should you use in a controller? This is probably counter-intuitive, but you should use Symfony\Component\Security\Core\Exception\AccessDeniedException. And when using an IDE, you might import the wrong exception pretty easily. As this is a frequent mistake, we even added a rule about this on SensioLabsInsight (and this violation is triggered quite often).

As of 2.5, you can now rely on a helper method that does the right thing (if you are using the Symfony\Bundle\FrameworkBundle\Controller\Controller base class):

throw $this->createAccessDeniedException('You cannot access this page!');

By the way, Symfony\Component\Security\Core\Exception\AccessDeniedException is the exception class you want to use because it is automatically caught by the Symfony Security Firewall, which generates the correct response for the user.

Comments RSS

  • FredV
    #1 FredV said on the 2014/02/05 at 15:32
    So when to use such a "Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException" ?
  • Piotr Gołębiewski
    #2 Piotr Gołębiewski said on the 2014/02/05 at 22:16
    @FredVelcro it's used internally and thrown by Symfony/Component/HttpKernel/EventListener/FragmentListener when the request is invalid or it comes from an untrusted ip
  • Piotr Gołębiewski
    #3 Piotr Gołębiewski said on the 2014/02/05 at 22:20
    Judgeing by use cases, I'd say the AccessDeniedHttpException is used when the request itself is rejected, and AccessDeniedException is used when user has not enough credentials to access the resource.
  • Sidora Gleb
    #4 Sidora Gleb said on the 2014/02/06 at 08:27
    @Piotr Gołębiewski
    If the exception is specific to Fragments sub-framework it's namespace should explicitly reference `fragments`
  • kor3k kor3k
    #5 kor3k kor3k said on the 2014/02/09 at 14:20
    @FredVelcro or where you intentionally do not want to trigger the firewall handler
  • Michal Mojzesz
    #6 Michal Mojzesz said on the 2014/02/11 at 10:57
    Thank you! I was writing about that two years ago. Not because of mistakes using wrong exception, but rather because I think 403 is also very often used exception in controllers.
  • JeanBar
    #7 JeanBar said on the 2014/03/28 at 13:45
    You seems to perfectly now that the name you've choosen sucks.
    Instead of correcting it, you keep in the same path and add a useless method.

    Why the don't you deprecate something you failed in design ?