security_legacy.yaml

security:
    # symfony default is set to "true".
    # you may want to keep it "true" but keep in mind that this hide meaningful exceptions like "acount is disabled"
    # instead the BadCredentialsException will be thrown
    hide_user_not_found: false

    providers:

        # [...] other providers

        members:
            id: MembersBundle\Security\UserProvider

    firewalls:

        # [...] other firewalls

        members_fe:
            pattern: ^/(?!(admin)($|/)).*$
            provider: members
            form_login:
                login_path: members_user_security_login
                check_path: members_user_security_check
                csrf_token_generator: security.csrf.token_manager
            logout:
                path: members_user_security_logout
                invalidate_session: false
                target: /
            anonymous: true
            user_checker: MembersBundle\Security\UserChecker

    access_control:

        # [...] other access controls

        - { path: ^/_locale/members/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/_locale/members/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/_locale/members/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }