diff --git a/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php b/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php
index 2804d0e820b5c..98f5ac04be303 100644
--- a/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php
+++ b/src/Symfony/Component/Security/Http/Firewall/ExceptionListener.php
@@ -203,7 +203,15 @@ private function startAuthentication(Request $request, AuthenticationException $
             }
         }
 
-        return $this->authenticationEntryPoint->start($request, $authException);
+        $response = $this->authenticationEntryPoint->start($request, $authException);
+
+        if (!$response instanceof Response) {
+            $given = is_object($response) ? get_class($response) : gettype($response);
+
+            throw new \LogicException(sprintf('The %s::start() method must return a Response object (%s returned)', get_class($this->authenticationEntryPoint), $given));
+        }
+
+        return $response;
     }
 
     /**
diff --git a/src/Symfony/Component/Security/Http/Tests/Firewall/ExceptionListenerTest.php b/src/Symfony/Component/Security/Http/Tests/Firewall/ExceptionListenerTest.php
index 3d409e54579f3..db0a242d4adbf 100644
--- a/src/Symfony/Component/Security/Http/Tests/Firewall/ExceptionListenerTest.php
+++ b/src/Symfony/Component/Security/Http/Tests/Firewall/ExceptionListenerTest.php
@@ -65,6 +65,20 @@ public function getAuthenticationExceptionProvider()
         );
     }
 
+    public function testExceptionWhenEntryPointReturnsBadValue()
+    {
+        $event = $this->createEvent(new AuthenticationException());
+
+        $entryPoint = $this->getMock('Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface');
+        $entryPoint->expects($this->once())->method('start')->will($this->returnValue('NOT A RESPONSE'));
+
+        $listener = $this->createExceptionListener(null, null, null, $entryPoint);
+        $listener->onKernelException($event);
+        // the exception has been replaced by our LogicException
+        $this->assertInstanceOf('LogicException', $event->getException());
+        $this->assertStringEndsWith('start() method must return a Response object (string returned)', $event->getException()->getMessage());
+    }
+
     /**
      * @dataProvider getAccessDeniedExceptionProvider
      */

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/symfony/symfony/pull/18656.diff" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/symfony/symfony/pull/18656.diff" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/symfony/symfony/pull/18656.diff" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/symfony/symfony/pull/18656.diff" target="_blank">pFad v4 Proxy</a></p></body>
</html>