Description

Under a firewall configuration, it is possible to filter requests using all RequestMatcherInterface attributes (pattern, ip, host, methods..) OR by specifying directly the reference to a custom RequestMatcher to be used.

Under the access_control configuration, it is possible to define the restrictions based on all RequestMatcherInterface attributes too. The SecurityExtension class then creates the according RequestMatcher (see SecurityExtension::createAuthorization() method) in the back.

It seems quite easy to allow users to specify a custom request matcher in this case too.

This request would allow users that need a custom request matcher on their firewalls (checking for custom headers..) to use the same request matcher for access control rules & enforce these rules automatically on all requests matched by the firewall.

Is there a specific reason as to why this is not possible today or is it a enhancement that could be useful?

Cheers

Example

Before

security:
    firewalls:
        main:
            request_matcher: App\Security\RequestMatcher\CustomRequestMatcher
            ....
    access_control:
        - { path: ..., ..., roles: [...]} 
        # impossible to precisely set access control rules to match the requests supported by the firewall

After

security:
    firewalls:
        main:
            request_matcher: App\Security\RequestMatcher\CustomRequestMatcher
            ....
    access_control:
        - { path: '/login', roles: [PUBLIC_ACCESS]}
        - { request_matcher: App\Security\RequestMatcher\CustomRequestMatcher, roles: ROLE_CUSTOM }