Access to /admin, why any user logged into the system can access?

Question

I have days trying to make this work and I can't so as a last resort I hope any can help me here. The point is that my application, as every application has a frontend which should be accessed by any user registered in the system except those that have, so far, the role ROLE_ADMIN and a backend which so otherwise, should have access only users with ROLE_ADMIN and normal users who do not own roles or having the default role ROLE_USER should neither be able to login.

The problem I have is that, regardless, if I sign with any normal user without permissions to the admin (lacks ROLE_ADMIN ) and access to the URL app.php/admin them can enter without any problem which is completely wrong. On the other hand if I try to log on to the frontend with any user with ROLE_ADMIN can do it without any problem and this should not happen.

This is my configuration security.yml :

security:
    encoders:
        FOS\UserBundle\Model\UserInterface: sha512

    providers:
        fos_userbundle:
            id: fos_user.user_provider.username_email

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                csrf_provider: form.csrf_provider
                login_path:  /login
                check_path:  /login_check
                default_target_path: home
                always_use_default_target_path: true
                use_referer: true
            logout:
                 path: fos_user_security_logout
                 target: /
                 invalidate_session: true
            anonymous: ~

    access_control:
        # Anonymous area
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/isLoggedIn$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/registro, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/cedula, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/rif, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/correo, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/usuario, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/razon_social, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/registro_mercantil, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/padre, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/correo_alternativo, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/paises, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/estados, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/ciudades, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/municipios, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/parroquias, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/empresas, role: IS_AUTHENTICATED_ANONYMOUSLY }

        # Secured area
        - { path: ^/, role: ROLE_USER }
        - { path: ^/admin, role: ROLE_ADMIN }

What am I doing wrong? Can anyone give me any suggestions?

I have read docs from top to bottom several times but don't get what I'm doing wrong

Answer 1

Access control works very similar to routing, the first match is the one executed.

This means that requests for /admin will be matched with:

- { path: ^/, role: ROLE_USER }

You should put your /admin rule first. Also, I find it much better practice to secure the controllers whenever you can (which avoids common problems like these): http://symfony.com/doc/current/book/security.html#securing-controllers-and-other-code