@@ -476,9 +476,12 @@ will be able to authenticate (e.g. login form, API token, etc).
476476 security :
477477 # ...
478478 firewalls :
479+ # the order in which firewalls are defined is very important, as the
480+ # request will be handled by the first firewall whose pattern matches
479481 dev :
480482 pattern : ^/(_(profiler|wdt)|css|images|js)/
481483 security : false
484+ # a firewall with no pattern should be defined last because it will match all requests
482485 main :
483486 lazy : true
484487 # provider that you set earlier inside providers
@@ -504,10 +507,14 @@ will be able to authenticate (e.g. login form, API token, etc).
504507
505508 <config >
506509 <!-- ... -->
510+
511+ <!-- the order in which firewalls are defined is very important, as the
512+ request will be handled by the first firewall whose pattern matches -->
507513 <firewall name =" dev"
508514 pattern =" ^/(_(profiler|wdt)|css|images|js)/"
509515 security =" false"
510516
517+ <!-- a firewall with no pattern should be defined last because it will match all requests -->
511518 <firewall name =" main"
512519 lazy =" true"
513520
@@ -526,11 +533,15 @@ will be able to authenticate (e.g. login form, API token, etc).
526533
527534 return static function (SecurityConfig $security): void {
528535 // ...
536+
537+ // the order in which firewalls are defined is very important, as the
538+ // request will be handled by the first firewall whose pattern matches
529539 $security->firewall('dev')
530540 ->pattern('^/(_(profiler|wdt)|css|images|js)/')
531541 ->security(false)
532542 ;
533543
544+ // a firewall with no pattern should be defined last because it will match all requests
534545 $security->firewall('main')
535546 ->lazy(true)
536547
0 commit comments