@@ -482,9 +482,12 @@ will be able to authenticate (e.g. login form, API token, etc).
482482 security :
483483 # ...
484484 firewalls :
485+ # the order in which firewalls are defined is very important, as the
486+ # request will be handled by the first firewall whose pattern matches
485487 dev :
486488 pattern : ^/(_(profiler|wdt)|css|images|js)/
487489 security : false
490+ # a firewall with no pattern should be defined last because it will match all requests
488491 main :
489492 lazy : true
490493 # provider that you set earlier inside providers
@@ -510,10 +513,14 @@ will be able to authenticate (e.g. login form, API token, etc).
510513
511514 <config >
512515 <!-- ... -->
516+
517+ <!-- the order in which firewalls are defined is very important, as the
518+ request will be handled by the first firewall whose pattern matches -->
513519 <firewall name =" dev"
514520 pattern =" ^/(_(profiler|wdt)|css|images|js)/"
515521 security =" false"
516522
523+ <!-- a firewall with no pattern should be defined last because it will match all requests -->
517524 <firewall name =" main"
518525 lazy =" true"
519526
@@ -532,11 +539,15 @@ will be able to authenticate (e.g. login form, API token, etc).
532539
533540 return static function (SecurityConfig $security): void {
534541 // ...
542+
543+ // the order in which firewalls are defined is very important, as the
544+ // request will be handled by the first firewall whose pattern matches
535545 $security->firewall('dev')
536546 ->pattern('^/(_(profiler|wdt)|css|images|js)/')
537547 ->security(false)
538548 ;
539549
550+ // a firewall with no pattern should be defined last because it will match all requests
540551 $security->firewall('main')
541552 ->lazy(true)
542553
0 commit comments