Security System

The SecurityBundle supports to work with different security systems. Each role is assigned to a security system. When a request happens, the request is assigned to a security system and the symfony firewall allows a user to login only if the user has at least one role in the assigned security system.

By default, there is a single security system called Sulu which is used for the administration interface.

Webspace Security System

A webspace can define a security system in its configuration. The security system will be assigned to the request when a user visits a page of the webspace.

If your webspace requires some kind of login, you should define a security system in its configuration:


If you want to restrict pages, media entities or custom entities to logged in users with a specific role, you need to enable permission-check in the webspace configuration:

<security permission-check="true">

To prevent caching problems with restricted entities, it is important to activate User context caching.

Custom Security System

You can register a custom security system in a Admin class. This is useful for sections like an intranet or an extranet which are not associated to a specific webspace:

namespace App\Sulu\Admin;

use Sulu\Bundle\AdminBundle\Admin\Admin;

class ExtranetAdmin extends Admin
    public const SYSTEM = 'Extranet';

    public function getSecurityContexts()
        return [self::SYSTEM => []];

Additionally, you need to register a request listener that assigns the custom security context to the request. To do this, you access the SystemStore service in your listener:

namespace App\Sulu\Security;

use App\Sulu\Admin\ExtranetAdmin;
use Sulu\Bundle\SecurityBundle\System\SystemStoreInterface;
use Symfony\Bundle\SecurityBundle\Security\FirewallMap;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpKernel\Event\RequestEvent;
use Symfony\Component\HttpKernel\KernelEvents;
use Symfony\Component\Security\Http\FirewallMapInterface;

class SecuritySystemSubscriber implements EventSubscriberInterface
    public function __construct(
        private SystemStoreInterface $systemStore,
        private FirewallMapInterface $map,
    ) {
        if (!$map instanceof FirewallMap) {
            throw new \LogicException(\sprintf('Expected "%s" but got "%s".', FirewallMap::class, \get_class($map)));

    public static function getSubscribedEvents(): array
        return [
            KernelEvents::REQUEST => [
                // need to be after @see \Sulu\Bundle\SecurityBundle\EventListener\SystemListener::getSubscribedEvents
                // need to be before @see \Symfony\Bundle\SecurityBundle\EventListener\FirewallListener::getSubscribedEvents
                ['processSecuritySystem', 9],

    public function processSecuritySystem(RequestEvent $event): void
        if (!$event->isMainRequest()) {

        $config = $this->map->getFirewallConfig($event->getRequest());
        if (!$config) {

        if ('extranet' === $config->getName()) {

System Store

The SystemStore service is used by the UserProvider to access the security system of the current request. It is registered with the service id sulu_security.system_store.