Spring拦截url配置中的ROLE_USER和ROLE_ANONYMOUS有什么区别? [英] What is the difference between ROLE_USER and ROLE_ANONYMOUS in a Spring intercept url configuration?

问题描述

ROLE_USER 和 ROLE_ANONYMOUS 在 Spring 拦截 url 配置中的区别是什么，如下例所示?

What is the difference between ROLE_USER and ROLE_ANONYMOUS in a Spring intercept url configuration such as the example below?

<http auto-config="false" access-decision-manager-ref="accessDecisionManager"
    use-expressions="true">
    <intercept-url pattern="/admin/**" access="hasRole('ROLE_ANONYMOUS')"
        requires-channel="http" />
    <intercept-url pattern="/login/**" access="hasRole('ROLE_ANONYMOUS')"
        requires-channel="${application.secureChannel}" />
    <intercept-url pattern="/error/**" access="hasRole('ROLE_ANONYMOUS')"
        requires-channel="http" />
    <intercept-url pattern="/register/**" access="hasRole('ROLE_ANONYMOUS')"
        requires-channel="${application.secureChannel}" />
    <intercept-url pattern="/" access="hasRole('ROLE_ANONYMOUS')"
        requires-channel="http" />
    <intercept-url pattern="/**" access="hasRole('ROLE_USER')"
        requires-channel="http" />
    <form-login login-page="/login" login-processing-url="/login/submit"
        authentication-failure-url="/login/error" />
    <logout logout-url="/logout" />
</http>

推荐答案

ROLE_ANONYMOUS 是当配置使用 Spring Security 的 匿名身份验证"过滤器.这是默认启用的.但是，如果使用表达式 isAnonymous() 可能会更清楚，这具有相同的含义.

ROLE_ANONYMOUS is the default role assigned to an unauthenticated (anonymous) user when a configuration uses Spring Security's "anonymous authentication" filter . This is enabled by default. However, it is probably clearer if you use the expression isAnonymous() instead, which has the same meaning.

ROLE_USER 没有意义，除非您在用户通过身份验证时将此角色分配给他们(您负责为经过身份验证的用户加载角色(权限)).它不是 Spring Security 基础设施中内置的名称.在给定的示例中，大概该角色已分配给经过身份验证的用户.

ROLE_USER has no meaning unless you assign this role to your users when they are authenticated (you are in charge of loading the roles (authorities) for an authenticated user). It isn't a name that is built in to Spring Security's infrastructure. In the given example, presumably that role is assigned to an authenticated user.

这篇关于Spring拦截url配置中的ROLE_USER和ROLE_ANONYMOUS有什么区别?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！