Description

When accessing a secured area using AJAX + JSON while not logged in, the ExceptionListener in Symfony Security component may convert AccessDeniedException to a HTTP 302 redirect to login page. The javascript can not really do anything with this since it is expecting JSON or HTTP error code.

Any other exception would be converted to JSON and passed back to browser with correct HTTP status code. But in this case, you need to create your own event listener to convert this exception in to JSON. This is the same issue as reported here: https://stackoverflow.com/questions/33240554/symfony2-security-annotation-turn-off-redirect-when-not-logged-in

See: Symfony\Component\Security\Http\Firewall\ExceptionListener::handleAccessDeniedException()

How to reproduce

• Setup controller that throws AccessDeniedException
• Setup controller that mocks a login page
• Configure route to login page in security.yaml form_login > login_path
• Try to access the first controller using AJAX + JSON
• You expect a HTTP 403 error but instead you get HTTP 200 with login page contents

If needed, I can provide an example project in Github.