I have a Symfony bundle which can only be accessible by using mydomain.com/box

To access /box you must be logged in, however i would like to enable anonymous access into mydomain.com/box/download

# Security.yml
access_control:
    - { path: ^/box , roles: ROLE_USER}

How can i do ?

# security.yml
access_control:
    - { path: ^/box/download , roles: IS_AUTHENTICATED_ANONYMOUSLY}
    - { path: ^/box , roles: ROLE_USER}

Symfony2 firewalls are processed in order, and only first matching one will be applied. Therefore, if you put the /box/download before /box, the /box/download rule will be processed and the rest will be ignored.

http://symfony.com/doc/current/book/security.html