When any of the authentication providers (see Authentication Providers)
has verified the still-unauthenticated token, an authenticated token will
be returned. The authentication listener should set this token directly
in the Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface
using its setToken()
From then on, the user is authenticated, i.e. identified. Now, other parts
of the application can use the token to decide whether or not the user may
request a certain URI, or modify a certain object. This decision will be made
by an instance of Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface.
An authorization decision will always be based on a few things:
The current token
For instance, the token’s getRoleNames()
method may be used to retrieve the roles of the current user (e.g.
ROLE_SUPER_ADMIN), or a decision may be based on the class of the token.
A set of attributes
Each attribute stands for a certain right the user should have, e.g.
ROLE_ADMIN to make sure the user is an administrator.
An object (optional)
Any object for which access control needs to be checked, like
an article or a comment object.
Since deciding whether or not a user is authorized to perform a certain
action can be a complicated process, the standard Symfony\Component\Security\Core\Authorization\AccessDecisionManager
itself depends on multiple voters, and makes a final verdict based on all
the votes (either positive, negative or neutral) it has received. It
recognizes several strategies:
grant access as soon as there is one voter granting access;
grant access if there are more voters granting access than there are denying;
only grant access if none of the voters has denied access. If all voters
abstained from voting, the decision is based on the allow_if_all_abstain
config option (which defaults to false).
grants or denies access by the first voter that does not abstain;
New in version 5.1: The priority version strategy was introduced in Symfony 5.1.
Usage of the available options in detail:
useSymfony\Component\Security\Core\Authorization\AccessDecisionManager;// instances of Symfony\Component\Security\Core\Authorization\Voter\VoterInterface$voters=[...];// one of "affirmative", "consensus", "unanimous", "priority"$strategy=...;// whether or not to grant access when all voters abstain$allowIfAllAbstainDecisions=...;// whether or not to grant access when there is no majority (applies only to the "consensus" strategy)$allowIfEqualGrantedDeniedDecisions=...;$accessDecisionManager=newAccessDecisionManager($voters,$strategy,$allowIfAllAbstainDecisions,$allowIfEqualGrantedDeniedDecisions);
this method will do the actual voting and return a value equal to one
of the class constants of Symfony\Component\Security\Core\Authorization\Voter\VoterInterface,
i.e. VoterInterface::ACCESS_GRANTED, VoterInterface::ACCESS_DENIED
The Security component contains some standard voters which cover many use
voter supports the attributes IS_AUTHENTICATED_FULLY,
to grant access based on the current level of authentication, i.e. is the
user fully authenticated, or only based on a “remember-me” cookie, or even
It also supports the attributes IS_ANONYMOUS, IS_REMEMBERED,
IS_IMPERSONATOR to grant access based on a specific state of
New in version 5.1: The IS_ANONYMOUS, IS_REMEMBERED and IS_IMPERSONATOR
attributes were introduced in Symfony 5.1.
useSymfony\Component\Security\Core\Authentication\AuthenticationTrustResolver;$trustResolver=newAuthenticationTrustResolver();$authenticatedVoter=newAuthenticatedVoter($trustResolver);// instance of Symfony\Component\Security\Core\Authentication\Token\TokenInterface$token=...;// any object$object=...;$vote=$authenticatedVoter->vote($token,$object,['IS_AUTHENTICATED_FULLY']);
supports attributes starting with ROLE_ and grants access to the user
when at least one required ROLE_* attribute can be found in the array of
roles returned by the token’s getRoleNames()
and provides some additional functionality: it knows how to handle a
hierarchy of roles. For instance, a ROLE_SUPER_ADMIN role may have sub-roles
ROLE_ADMIN and ROLE_USER, so that when a certain object requires the
user to have the ROLE_ADMIN role, it grants access to users who in fact
have the ROLE_ADMIN role, but also to users having the ROLE_SUPER_ADMIN
useSymfony\Component\ExpressionLanguage\Expression;useSymfony\Component\Security\Core\Authorization\Voter\ExpressionVoter;// Symfony\Component\Security\Core\Authorization\ExpressionLanguage;$expressionLanguage=...;// instance of Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface$trustResolver=...;// Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface$authorizationChecker=...;$expressionVoter=newExpressionVoter($expressionLanguage,$trustResolver,$authorizationChecker);// instance of Symfony\Component\Security\Core\Authentication\Token\TokenInterface$token=...;// any object$object=...;$expression=newExpression('"ROLE_ADMIN" in role_names or (not is_anonymous() and user.isSuperAdmin())')$vote=$expressionVoter->vote($token,$object,[$expression]);
When you make your own voter, you can use its constructor to inject any
dependencies it needs to come to a decision.
Roles are strings that give expression to a certain right the user has (e.g.
“edit a blog post”, “create an invoice”). You can freely choose those
strings. The only requirement is that they must start with the ROLE_ prefix
(e.g. ROLE_POST_EDIT, ROLE_INVOICE_CREATE).
The access decision manager can be used at any point in a request to decide whether
or not the current user is entitled to access a given resource. One optional,
but useful, method for restricting access based on a URL pattern is the
which is one of the firewall listeners (see Firewall Listeners) that
is triggered for each request matching the firewall map (see A Firewall for HTTP Requests).
It uses an access map (which should be an instance of Symfony\Component\Security\Http\AccessMapInterface)
which contains request matchers and a corresponding set of attributes that
are required for the current user to get access to the application:
The access decision manager is also available to other parts of the application
via the isGranted()
method of the Symfony\Component\Security\Core\Authorization\AuthorizationChecker.
A call to this method will directly delegate the question to the access