Why is the default Spring Security strategy AffirmativeBased?

Question

From the spring security docs for AccessDecisionManager:

The default strategy is to use an AffirmativeBased AccessDecisionManager with a RoleVoter and an AuthenticatedVoter.

The AffirmativeBased voter:

grants access if any AccessDecisionVoter returns an affirmative response

According to the docs, the RoleVoter will vote based on whether the authenticated object has the correct ROLE_ authority, and the AuthenticatedVoter based on whether or not the object is authenticated.

My confusion is, what is the AuthenticatedVoter object voting on? In my application I only want someone with ROLE_USER to access a resource. But I'm also setting setAuthenticated(true) on my implementation of the AbstractAuthenticationToken.

From reading of the docs the AffirmativeBased strategy would only need authenticated to be true to access the resource and wouldn't bother with the ROLE requirement. Is there a different "is authenticated" value that's actually being checked?

I know about the UnanimousBased strategy, but it seems like I haven't understood the authenticated test or else there would be a big security hole in the default implementation.

Answer 1

When you configure authorization, you provide configuration attributes, for example hasRole('admin'). During voting, the voters will check if it supports, otherwise it will abstain from voting. In case of AuthenticatedVoter, it will abstain from voting if the access is configured for Role. See source code of vote method.