Each module in your application can be protected through the use of the security.yml files. In the top-level security.yml file, I included the following (it was a backend application, so access should be restricted, when in doubt):

default:
  is_secure: on

Now, if you want to protect a module, apparently, it doesn’t work to include this in your main config:

default:
  is_secure: on
 
module1:
  credentials: admin

However, when including this in your module1/config/security.yml file, it works (the ‘all’ concerns the actions within this module):

all:
    is_secure: on
    credentials: admin

I assume the ‘is_secure: on’ might be omitted, as the default is set to on. It somehow bothers me to see that it is not possible to include this in the application-level security file, covering all the modules actions at once.

Four important notes when you encounter problems:

• The names listed as the credentials are the names you’ve given to your permissions! Seems logical, but try not to change them to much, as you might break access to certain parts of your site.
• The permissions assigned to the groups are granted to the users, and the permissions listed below the users are added when checked.
• When you change your own credentials, make sure to log out and log in again!
• And finally, control the access to the plugins sfGuardUsers, sfGuardGroups, sfGuardPermissions the same way as other modules, by changing the security.yml files in the plugins/sfGuardPlugin/modules/…/config/security.yml files. Don’t change the access to the sfGuardAuth module, as it needs to be accessible by anyone to be able to login (see picture).