Securing routes under the same firewall

I have a symfony2 application with an api rest and a sonataAdmin backend.

In the security.yml file I have the following:

security:
    encoders:
        FOS\UserBundle\Model\UserInterface: bcrypt

    role_hierarchy:
        ROLE_ADMIN:  [ROLE_USER, ROLE_SONATA_ADMIN]
        ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
        SONATA:
            - ROLE_SONATA_PAGE_ADMIN_PAGE_EDIT

    providers:
        fos_userbundle:
            id: fos_user.user_manager

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

        admin:
            pattern:  /admin(.*)
            context:  user
            form_login:
                provider: fos_userbundle
                login_path: /admin/login
                use_forward: false
                check_path: /admin/login_check
                failure_path: null
            logout:
                path:    /admin/logout
            anonymous: true

        oauth_token:
            pattern:    ^/oauth/v2/token$
            security:   false

        oauth_authorize:
            pattern:    ^/oauth/v2/auth$
            security:    false
            # Add your favorite authentication process here

        api:
            pattern:    ^/api(?!/user$)(?!/user/visit/)(?!/doc$) #con este patron todo api menos doc esta protegido
            fos_oauth:  true
            stateless:  true
            anonymous:  false # can be omitted as its default value

        main:
            pattern: .*
            context: user
            form_login:
                provider: fos_userbundle
                login_path: /login
                use_forward: false
                check_path: /login_check
                failure_path: null
            logout:  true
            anonymous: true

access_control:
    # url de fosuserbundle que debe ser disponible para usuarios anonimos
    - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
    #url de admin login necesita ser accesible sin credenciales
    - { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/admin/login_check$, role: IS_AUTHENTICATED_ANONYMOUSLY }

    - { path: ^/admin, role: [ROLE_SUPER_ADMIN] }
    - { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/api/doc/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }

    # url de api. Debe estar validado siempre.
    - { path: ^/api, roles: [ IS_FULLY_AUTHENTICATED ] }

That is, among other routes, I have the following security settings:

• Routes /admin(.*) protected under the firewall admin
• routes ^/api(?!/user$)(?!/user/visit/)(?!/doc$) (anything that hangs from /api , less /api/user , /api/user/visit and /api/doc are protected under oauth2 .

Now I have been asked that the documentation of /api be protected but by the admin, so that if the user is not authenticated, it will be directed to /admin/login . If it is authenticated, the document is shown

I changed the admin pattern to the following:

(admin(.*))|(\/api\/doc(.*))

and the api pattern looks like this:

^/api(?!/user$)(?!/user/visit/)

However, when accessing by browser at /api/doc , if I am not registered, the documentation appears. It looks like it does not release security or there's something I'm not doing right.

Can anyone suggest a solution?