In my Symfony security.yml file I have set up access control to prevent unauthenticated users from accessing my api routes:
access_control:
- { path: ^/api$, role: IS_AUTHENTICATED_FULLY }
I have also created an exception listener (onKernelException) that I use to send exceptions back as responses. I would expect an AccessDeniedException to be thrown and caught by the exception listener but this does not happen. Why not? How can I work around this?