I've implemented this in a current project as a service. The solution is straightforward but depends on security annotations. You may adapt the solution to fit your needs... It should be easy to use custom annotations or to combine this with configuration options running in from config.yml or a database.
This is related with Symfony Issue #6538
namespace Acme\Security\Roles;
use Symfony\Component\HttpFoundation\Request;