diff --git a/src/Configuration/Security.php b/src/Configuration/Security.php
index c884eb63..8b36a0b1 100644
--- a/src/Configuration/Security.php
+++ b/src/Configuration/Security.php
@@ -59,7 +59,7 @@ public function __construct(
             $values = $data;
         }
 
-        $values['message'] = $values['message'] ?? $message;
+        $values['message'] = $values['message'] ?? $message ?? $this->message;
         $values['statusCode'] = $values['statusCode'] ?? $statusCode;
 
         parent::__construct($values);
diff --git a/tests/Configuration/SecurityTest.php b/tests/Configuration/SecurityTest.php
new file mode 100644
index 00000000..58234044
--- /dev/null
+++ b/tests/Configuration/SecurityTest.php
@@ -0,0 +1,54 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Sensio\Bundle\FrameworkExtraBundle\Tests\Configuration;
+
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
+
+class SecurityTest extends \PHPUnit\Framework\TestCase
+{
+    public function testEmptyConstruct()
+    {
+        $security = new Security([]);
+        $this->assertEquals('Access denied.', $security->getMessage());
+        $this->assertNull($security->getStatusCode());
+        $this->assertNull($security->getExpression());
+        $this->assertEquals('security', $security->getAliasName());
+        $this->assertTrue($security->allowArray());
+    }
+
+    public function testSettersViaConstruct()
+    {
+        $security = new Security("is_granted('foo')", 'Not allowed', 403);
+        $this->assertEquals('Not allowed', $security->getMessage());
+        $this->assertEquals(403, $security->getStatusCode());
+        $this->assertEquals("is_granted('foo')", $security->getExpression());
+    }
+
+    public function testSetters()
+    {
+        $security = new Security("is_granted('foo')", 'Not allowed', 403);
+        $security->setExpression("is_granted('bar')");
+        $security->setMessage('Disallowed');
+        $security->setStatusCode(404);
+        $this->assertEquals('Disallowed', $security->getMessage());
+        $this->assertEquals(404, $security->getStatusCode());
+        $this->assertEquals("is_granted('bar')", $security->getExpression());
+    }
+
+    public function testDataWinsOverExplicitParam()
+    {
+        $security = new Security(['expression' => "is_granted('foo')", 'message' => 'Not allowed', 'statusCode' => 403], 'Disallowed', 404);
+        $this->assertEquals('Not allowed', $security->getMessage());
+        $this->assertEquals(403, $security->getStatusCode());
+        $this->assertEquals("is_granted('foo')", $security->getExpression());
+    }
+}