How to Customize Access Denied Responses

How to Customize Access Denied Responses

In Symfony, you can throw an Symfony\Component\Security\Core\Exception\AccessDeniedException to disallow access to the user. Symfony will handle this exception and generates a response based on the authentication state:

  • If the user is not authenticated (or authenticated anonymously), an authentication entry point is used to generated a response (typically a redirect to the login page or an 401 Unauthorized response);
  • If the user is authenticated, but does not have the required permissions, a 403 Forbidden response is generated.

Customize the Unauthorized Response

You need to create a class that implements Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface. This interface has one method (start()) that is called whenever an unauthenticated user tries to access a protected resource:

  1. // src/Security/AuthenticationEntryPoint.php
  2. namespace App\Security;
  4. use Symfony\Component\HttpFoundation\RedirectResponse;
  5. use Symfony\Component\HttpFoundation\Request;
  6. use Symfony\Component\HttpFoundation\Session\SessionInterface;
  7. use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
  8. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  9. use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
  11. class AuthenticationEntryPoint implements AuthenticationEntryPointInterface
  12. {
  13.     private $urlGenerator;
  14.     private $session;
  16.     public function __construct(UrlGeneratorInterface $urlGenerator, SessionInterface $session)
  17.     {
  18.         $this->urlGenerator = $urlGenerator;
  19.         $this->session = $session;
  20.     }
  22.     public function start(Request $request, AuthenticationException $authException = null): RedirectResponse
  23.     {
  24.         // add a custom flash message and redirect to the login page
  25.         $this->session->getFlashBag()->add('note', 'You have to login in order to access this page.');
  27.         return new RedirectResponse($this->urlGenerator->generate('security_login'));
  28.     }
  29. }

That’s it if you’re using the default services.yaml configuration. Otherwise, you have to register this service in the container.

Now, configure this service ID as the entry point for the firewall:

  • YAML

    1. # config/packages/security.yaml
    2. firewalls:
    3.     # ...
    5.     main:
    6.         # ...
    7.         entry_point: App\Security\AuthenticationEntryPoint

  • XML

    1. <!-- config/packages/security.xml -->
    2. <?xml version="1.0" encoding="UTF-8" ?>
    3. <srv:container xmlns="http://symfony.com/schema/dic/security"
    4.     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    5.     xmlns:srv="http://symfony.com/schema/dic/services"
    6.     xsi:schemaLocation="http://symfony.com/schema/dic/services
    7.         https://symfony.com/schema/dic/services/services-1.0.xsd">
    9.     <config>
    10.         <firewall name="main"
    11.             entry-point="App\Security\AuthenticationEntryPoint"
    12.         >
    13.             <!-- ... -->
    14.         </firewall>
    15.     </config>
    16. </srv:container>

  • PHP

    1. // config/packages/security.php
    2. use App\Security\AuthenticationEntryPoint;
    4. $container->loadFromExtension('security', [
    5.     'firewalls' => [
    6.         'main' => [
    7.             // ...
    8.             'entry_point' => AuthenticationEntryPoint::class,
    9.         ],
    10.     ],
    11. ]);

Customize the Forbidden Response

Create a class that implements Symfony\Component\Security\Http\Authorization\AccessDeniedHandlerInterface. This interface defines one method called handle() where you can implement whatever logic that should execute when access is denied for the current user (e.g. send a mail, log a message, or generally return a custom response):

  1. // src/Security/AccessDeniedHandler.php
  2. namespace App\Security;
  4. use Symfony\Component\HttpFoundation\Request;
  5. use Symfony\Component\HttpFoundation\Response;
  6. use Symfony\Component\Security\Core\Exception\AccessDeniedException;
  7. use Symfony\Component\Security\Http\Authorization\AccessDeniedHandlerInterface;
  9. class AccessDeniedHandler implements AccessDeniedHandlerInterface
  10. {
  11.     public function handle(Request $request, AccessDeniedException $accessDeniedException): ?Response
  12.     {
  13.         // ...
  15.         return new Response($content, 403);
  16.     }
  17. }

If you’re using the default services.yaml configuration, you’re done! Symfony will automatically know about your new service. You can then configure it under your firewall:

  • YAML

    1. # config/packages/security.yaml
    2. firewalls:
    3.     # ...
    5.     main:
    6.         # ...
    7.         access_denied_handler: App\Security\AccessDeniedHandler

  • XML

    1. <!-- config/packages/security.xml -->
    2. <?xml version="1.0" encoding="UTF-8" ?>
    3. <srv:container xmlns="http://symfony.com/schema/dic/security"
    4.     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    5.     xmlns:srv="http://symfony.com/schema/dic/services"
    6.     xsi:schemaLocation="http://symfony.com/schema/dic/services
    7.         https://symfony.com/schema/dic/services/services-1.0.xsd">
    9.     <config>
    10.         <firewall name="main"
    11.             access-denied-handler="App\Security\AccessDeniedHandler"
    12.         >
    13.             <!-- ... -->
    14.         </firewall>
    15.     </config>
    16. </srv:container>

  • PHP

    1. // config/packages/security.php
    2. use App\Security\AccessDeniedHandler;
    4. $container->loadFromExtension('security', [
    5.     'firewalls' => [
    6.         'main' => [
    7.             // ...
    8.             'access_denied_handler' => AccessDeniedHandler::class,
    9.         ],
    10.     ],
    11. ]);

Customizing All Access Denied Responses

In some cases, you might want to customize both responses or do a specific action (e.g. logging) for each AccessDeniedException. In this case, configure a kernel.exception listener:

  1. // src/EventListener/AccessDeniedListener.php
  2. namespace App\EventListener;
  4. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  5. use Symfony\Component\HttpFoundation\Response;
  6. use Symfony\Component\HttpKernel\Event\ExceptionEvent;
  7. use Symfony\Component\HttpKernel\KernelEvents;
  8. use Symfony\Component\Security\Core\Exception\AccessDeniedException;
  10. class AccessDeniedListener implements EventSubscriberInterface
  11. {
  12.     public static function getSubscribedEvents(): array
  13.     {
  14.         return [
  15.             // the priority must be greater than the Security HTTP
  16.             // ExceptionListener, to make sure it's called before
  17.             // the default exception listener
  18.             KernelEvents::EXCEPTION => ['onKernelException', 2],
  19.         ];
  20.     }
  22.     public function onKernelException(ExceptionEvent $event): void
  23.     {
  24.         $exception = $event->getThrowable();
  25.         if (!$exception instanceof AccessDeniedException) {
  26.             return;
  27.         }
  29.         // ... perform some action (e.g. logging)
  31.         // optionally set the custom response
  32.         $event->setResponse(new Response(null, 403));
  34.         // or stop propagation (prevents the next exception listeners from being called)
  35.         //$event->stopPropagation();
  36.     }
  37. }

This work, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.