authentication symfony jwt fosrestbundle lexikjwtauthbundle

LexikJWTAuthenticationBundle - How to grant different access to different path's?

I am using LexikJWTAuthenticationBundle to authenticate in my web-application using REST Webservice.

I want to divide my application into two sections:

a public section, where everyone could see the content - without login
a private section, where you have to be logged in to edit content, users

and so on.

The idea is, to do this via url:

/api       #reach the public content of the website
/api/admin #reach private admin content, if not logged in -> loginpage

I tried this in the security.yaml:

    access_control:
    - { path: ^/api, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/api/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/api/admin,       roles: IS_AUTHENTICATED_FULLY }

But when i try to load the content like this:

curl -X GET <baseurl-backend>/api/content/list #generic example

I get:

{code: 401, message: "JWT Token not found"}

Here's the security.yaml with all the configuration:

security:
    encoders:
        App\Entity\User:
            algorithm: argon2i

    providers:
        app_user_provider:
            entity:
                class: App\Entity\User
                property: email

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        login:
            pattern:  ^/api/login
            stateless: true 
            anonymous: true 
            json_login:
                check_path: /api/login_check #path for checking
                success_handler: lexik_jwt_authentication.handler.authentication_success
                failure_handler: lexik_jwt_authentication.handler.authentication_failure
        api:
            pattern:   ^/api
            stateless: true
            guard:
                authenticators:
                - lexik_jwt_authentication.jwt_token_authenticator
        main: 
            anonymous: true

    access_control:
    - { path: ^/api, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/api/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/api/admin,       roles: IS_AUTHENTICATED_FULLY }

Thank you for your help!

Solution

you should add anonymous: true to your api firewall.

api:
    pattern:   ^/api
    stateless: true
    anonymous: true
    guard:
        authenticators:
        - lexik_jwt_authentication.jwt_token_authenticator

if you want to block access to api/admin you should add another firewall on top of your api firewall:

api_admin:
    pattern:   ^/api/admin
    stateless: true
    guard:
        authenticators:
        - lexik_jwt_authentication.jwt_token_authenticator
api:
    pattern:   ^/api
    stateless: true
    anonymous: true
    guard:
        authenticators:
        - lexik_jwt_authentication.jwt_token_authenticator