In my Symfony security.yml file I have set up access control to prevent unauthenticated users from accessing my api routes:
access_control:
- { path: ^/api$, role: IS_AUTHENTICATED_FULLY }
I have also created an exception listener (onKernelException) that I use to send exceptions back as responses. I would expect an AccessDeniedException to be thrown and caught by the exception listener but this does not happen. Why not? How can I work around this?
you need to check in the DEV environment (append "app_dev.php" to your URL), then check the log file at this path:
var/logs/dev.log
I get an exception in the scenario you described, plus on the web page you'll see an "Access denied" message.