views:

202

answers:

2

What is the difference between ROLE_USER and ROLE_ANONYMOUS in a Spring intercept url configuration such as the example below?

<http auto-config="false" access-decision-manager-ref="accessDecisionManager"
    use-expressions="true">
    <intercept-url pattern="/admin/**" access="hasRole('ROLE_ANONYMOUS')"
        requires-channel="http" />
    <intercept-url pattern="/login/**" access="hasRole('ROLE_ANONYMOUS')"
        requires-channel="${application.secureChannel}" />
    <intercept-url pattern="/error/**" access="hasRole('ROLE_ANONYMOUS')"
        requires-channel="http" />
    <intercept-url pattern="/register/**" access="hasRole('ROLE_ANONYMOUS')"
        requires-channel="${application.secureChannel}" />
    <intercept-url pattern="/" access="hasRole('ROLE_ANONYMOUS')"
        requires-channel="http" />
    <intercept-url pattern="/**" access="hasRole('ROLE_USER')"
        requires-channel="http" />
    <form-login login-page="/login" login-processing-url="/login/submit"
        authentication-failure-url="/login/error" />
    <logout logout-url="/logout" />
</http>
A: 

ROLE_ANONYMOUS has no user credentials, ROLE_USER has user credentials... has been authenticated.

this is my interpretation based on the configuration provided

Aaron Saunders
+2  A: 

ROLE_ANONYMOUS is the default role assigned to an unauthenticated (anonymous) user when a configuration uses Spring Security's "anonymous authentication" filter . This is enabled by default. However, it is probably clearer if you use the expressions isAnonymous() instead, which has the same meaning.

ROLE_USER has no meaning unless you assign this role to your users when they are authenticated (you are in charge of loading the roles (authorities) for an authenticated user). It isn't a name that is built in to Spring Security's infrastructure. In the given example, presumably that role is assigned to an authenticated user.

Munkymisheen