Reputation: 2208
Using Spring Security Annotations isFullyAuthenticated v/s hasRole
Being new to spring security annotations, I am not able to understand the real difference between the below two lines. Does it mean that hasRole implicitly checks for authentication?
- @PreAuthorize("isFullyAuthenticated() and hasRole('activateUser')")
+ @PreAuthorize("hasRole('activateUser')")
void activateUser(String username);
As per spring documentation,
isFullyAuthenticated() Returns true if the user is not an anonymous or a remember-me user
Upvotes: 2
Views: 1176
Answers (1)
Reputation: 2071
Does it mean that hasRole implicitly checks for authentication?
Not absolutely. It could be hasRole("ROLE_ANONYMOUS") which implies non authenticated users. Note also that isFullyAuthenticted() is not the same as isAuthenticated() since the former required explicit authentication while the latter is more lax accepting remember-me authentiated users. In most cases though, hasRole is used with real roles which at least implies isAuthenticated().
So the difference is that the first line requires a user to be explicitly authenticated (not remember-me).
Upvotes: 2
Related Questions
- Difference between Role and GrantedAuthority in Spring Security
- Spring Security @Secured annotation and User authorities
- @RolesAllowed vs. @PreAuthorize vs. @Secured
- Difference between @Secured vs @RolesAllowed in Spring? And the concept of Role Based Security?
- Spring Security fullyAuthenticated() and hasRole("ADMIN")
- Spring Security's "isAuthenticated()" expression really necessary when used with "hasRole()"?
- Spring Security Java configuration for authenticated users with a role
- Spring security using @security annotation in controller
- Spring Security - UserRole or UserAuthentication
- Spring Security annotations not consistent?