It should be noted that it is best to use only one firewall with access_control for the login page. What for? What would you do if a registered user tries to access the / login page? You cannot verify the controller if it has been authenticated and redirected, because the user will be authenticated on your main firewall, but not on the login firewall, as these are separate security systems.
Here is security.yml that works fine for me:
security: firewalls: dev: pattern: ^/(_(profiler|wdt)|css|images|js)/ security: true anonymous: ~ secured_area: pattern: ^/ anonymous: ~ form_login: login_path: /login check_path: /login_check always_use_default_target_path: true default_target_path: / logout: path: /logout target: / providers: main: entity: { class: Core\UserBundle\Entity\User, property: username } access_control: - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY } - { path: ^/admin, roles: ROLE_SUPERADMIN } - { path: ^/user, roles: ROLE_USER } - { path: ^/, roles: IS_AUTHENTICATED_FULLY }