bundles/AdminBundle/Resources/config/security_services.yaml

services:
    _defaults:
        autowire: true
        autoconfigure: true

    #
    # SECURITY
    #

    # standard user provider returning admin users wrapped in a Pimcore\Bundle\AdminBundle\Security\User\User proxy object.
    # using this user provider allows implementations to authenticate against pimcore users on every desired firewall
    Pimcore\Bundle\AdminBundle\Security\User\UserProvider: ~

    # the password encoder factory builds a dedicated encoder per user
    # as we need the user instance to encode passwords. see pimcore.security.encoder_factories
    # we don't specifiy this as fully qualified class name as there can be multiple factories (one for each user type)
    pimcore_admin.security.password_encoder_factory:
        class: Pimcore\Security\Encoder\Factory\UserAwareEncoderFactory
        arguments:
            - Pimcore\Bundle\AdminBundle\Security\Encoder\AdminPasswordEncoder

    # guard implementation handling admin form login for the main admin firewall
    Pimcore\Bundle\AdminBundle\Security\Guard\AdminAuthenticator:
        public: false
        arguments:
            $httpUtils: '@security.http_utils'
        calls:
            - [setLogger, ['@logger']]
        tags:
            - { name: monolog.logger, channel: security }


    Pimcore\Bundle\AdminBundle\Security\LogoutSuccessHandler:
        public: false
        arguments:
            - '@security.token_storage'
            - '@router'
            - '@event_dispatcher'
        calls:
            - [setLogger, ['@logger']]
        tags:
            - { name: monolog.logger, channel: security }

    Pimcore\Bundle\AdminBundle\Security\User\TokenStorageUserResolver:
        public: true
        arguments:
            - '@security.token_storage'

    Pimcore\Bundle\AdminBundle\Security\User\UserLoader: ~

    Pimcore\Bundle\AdminBundle\Security\BruteforceProtectionHandler:
        public: false
        calls:
            - [setLogger, ['@logger']]
        tags:
            - { name: monolog.logger, channel: security }

    Pimcore\Bundle\AdminBundle\Security\CsrfProtectionHandler:
        public: true
        arguments:
            - '%pimcore_admin.csrf_protection.excluded_routes%'
            - '@twig'
        calls:
            - [setLogger, ['@logger']]
        tags:
            - { name: monolog.logger, channel: security }

    Pimcore\Bundle\AdminBundle\Security\ContentSecurityPolicyHandler:
        public: true
        calls:
            - [ setLogger, [ '@logger' ] ]
        tags:
            - { name: monolog.logger, channel: security }

    # user checker checking admin users for validity
    Pimcore\Bundle\AdminBundle\Security\User\UserChecker: ~