@Secure annotation for Symfony 2.3

We created the LswSecureControllerBundle to provide @Secure annotation in Symfony 2.3 to secure actions in controllers by specifying required roles. This functionality was provided by the JMSSecurityExtraBundle, included in Symfony 2.0, 2.1 and 2.2. In  Symfony 2.3 it was removed because of a license incompatibility between Symfony Core and the JMSSecurityExtraBundle. On the official blog Fabien Potencier (author of Symfony) writes:

As the Symfony Standard Edition is under the MIT license, we did not want to have anything else in its deps. That helps people developing GPL projects on top of Symfony. That said, if you are developing your own project, using dependencies under an Apache license should not be a problem at all. So, feel free to add them back. — Fabien Potencier in a response

So, the JMS bundles are no longer included by default and honestly, apart from the license, it is a huge pile of code. Especially as the only feature we use from it, is the @Secure annotation to require roles for executing specific actions in the controllers. Please note that it is not only a beefy bundle, but it also has an impressive set of dependencies:

And don’t get me wrong; I believe the JMSSecurityExtraBundle does a lot of other things that are very valuable and fully justifies its size and its dependencies. I also highly respect Johannes Schmitt for his efforts in the Symfony community and his coding skills. However, if you only need this one feature and want to stay lean (122 lines of code) or if you need a more permissive license, then our bundle is the one for you.

Installation and usage

Figure 1: Symfony 2.3 denying access based on a @Secure annotation

Installation of this bundle is just like any other; details can be found in the README. We will show the usage by providing an example based on the standard Symfony 2.3 AcmeDemoBundle. We use the @Secure annotation in the AcmeDemoBundle to secure the “hello world” page requiring the role “ROLE_TEST” to execute.

In “src/Acme/DemoBundle/Controller/SecuredController.php” you should add the following line on top, but under the namespace definition:

use Lsw\SecureControllerBundle\Annotation\Secure;

To require the “ROLE_TEST” for “helloAction” in the “SecuredController” you should add @Secure annotation to the DocBlock of the “helloAction” like this (line 2):

     * @Secure(roles="ROLE_TEST")
     * @Route("/hello", defaults={"name"="World"}),
     * @Route("/hello/{name}", name="_demo_secured_hello")
     * @Template()
    public function helloAction($name)
        return array('name' => $name);

Note that you can only use the @Secure annotation on actions that are protected by a firewall. You can configure the firewall in the “app/config/security.yml” file.


Creating the bundle would not have been possible without Matthias Noback’s excellent posts:

Thank you Matthias!


We are committed to support this bundle and, as with all our bundles, you can contact us via the LswSecureControllerBundle Github page if you find a bug or want a feature to be added.


2 thoughts on “@Secure annotation for Symfony 2.3”

Leave a Reply

Your email address will not be published. Required fields are marked *