diff --git a/security/access_denied_handler.rst b/security/access_denied_handler.rst
index bb55d4f6c83..ea8a88d656f 100644
--- a/security/access_denied_handler.rst
+++ b/security/access_denied_handler.rst
@@ -70,3 +70,8 @@ configure it under your firewall:
 
 That's it! Any ``AccessDeniedException`` thrown by code under the ``main`` firewall
 will now be handled by your service.
+
+.. note::
+
+    The ``AccessDeniedHandler`` will not be invoked if an anonymous user is trying to
+    access a protected resource. That will be an ``InsufficientAuthenticationException``.