spring-security - Spring 安全 : difference between ROLE_ANONYMOUS and IS_AUTHENTICATED_ANONYMOUSLY

Question

在 Spring Security 中 ROLE_ANONYMOUS 和 IS_AUTHENTICATED_ANONYMOUSLY 有什么区别。

换句话说，RoleVoter 和 AuthenticatedVoter 有何不同？

Answer 1

来自 spring security documentation 中的相关部分,

You will often see the ROLE_ANONYMOUS attribute in the above interceptor configuration replaced with IS_AUTHENTICATED_ANONYMOUSLY, which is effectively the same thing when defining access controls. This is an example of the use of the AuthenticatedVoter which we will see in the authorization chapter. It uses an AuthenticationTrustResolver to process this particular configuration attribute and grant access to anonymous users. The AuthenticatedVoter approach is more powerful, since it allows you to differentiate between anonymous, remember-me and fully-authenticated users. If you don't need this functionality though, then you can stick with ROLE_ANONYMOUS, which will be processed by Spring Security's standard RoleVoter.

此外，来自卢克对相关 jira issue 的评论,

The anonymous access issue is partly historical. Anonymous tokens were introduced initially (i.e. ROLE_ANONYMOUS) which would allow you to use a "secure-by-defaul" configurations with specific exceptions. At a later stage the AuthenticatedVoter was introduced to allow you to differentiate between different levels of authentication - anonyous, remember-me and fully-authenticated (i.e. logged in during the current session). I've added an extra bit to the anonymous chapter to explain that they are the same unless you require the extra functionality offered by the AuthenticatedVoter.