I have setup custom error pages to display for certain HTTP errors in the folder:

app/Resources/TwigBundle/views/Exception/

The 403 page (error403.html.twig) works and displays as expected.

The 500 page (error500.html.twig) works and displays as expected.

The 404 page (error404.html.twig) throws a 500 server error:

PHP Fatal error: Uncaught exception 'Symfony\Component\Routing\Exception\ResourceNotFoundException'

The error is being thrown by doing an auth check to display certain menu items for users that are or aren't authenticated:

{% if is_granted('IS_AUTHENTICATED_FULLY') %}

If I remove that check and just allow all menu items to display, the page loads the error page as expected. Again, the 403 page displays as it should and utilizes the auth checks without a problem.

I'm stuck on this one. The pages are EXACTLY the same, apart from the filename.

You can't use the is_granted in a 404 page since 2.1:

It's mentioned in the upgrade file

The Firewall listener is now registered after the Router listener. This means that specific Firewall URLs (like /login_check and /logout) must now have proper routes defined in your routing configuration. Also, if you have a custom 404 error page, make sure that you do not use any security related features such as is_granted on it.

See: https://github.com/symfony/symfony/blob/master/UPGRADE-2.1.md#security

If symfony < 2.8 :

{% if app.user is not null and is_granted('ROLE_ADMIN') %}

See : https://github.com/symfony/symfony-docs/issues/2078

Edit from Dec 17 '15:

This is no longer needed since 2.8,

{% if is_granted('ROLE_ADMIN') %}

works fine now.

source: http://symfony.com/blog/new-in-symfony-2-8-dx-improvements#allow-to-check-for-security-even-in-pages-not-covered-by-firewalls

I would suggest checking for app.security.token to be more strict and evaluate to true even when user is anonymous.

If you check for app.user it will evaluate false in Exception templates, but even when the firewall is present (= regular templates) but the user is not logged. This will prevent - for example - the display of a login button.

See: https://github.com/symfony/symfony-docs/pull/2359