I have uploaded files located at /web/uploads and I need give access only to specific users. My users are not in security context (I know that is bad solution). I think I must move files away from /web folder (like /uploads) and create controller which will process access to files. Am I right or exist better solution?
Symfony version is 2.5.10
Your approach is solid. In the controller action, you can setup your logical calls to validate file access.
I would recommend creating a Service for this, so that you can reuse it outside of that specific controller if ever needed.
You can read a bit more on http://symfony.com/doc/current/book/service_container.html
At it's core, Symfony supports and pushes towards a service oriented architecture, controllers exist mostly to facilitate the handling of Request and Response objects.