java Spring拦截url配置中的ROLE_USER和ROLE_ANONYMOUS有什么区别?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3435824/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
What is the difference between ROLE_USER and ROLE_ANONYMOUS in a Spring intercept url configuration?
提问by pnut butter
What is the difference between ROLE_USER and ROLE_ANONYMOUS in a Spring intercept url configuration such as the example below?
如下例的 Spring 拦截 url 配置中的 ROLE_USER 和 ROLE_ANONYMOUS 有什么区别?
<http auto-config="false" access-decision-manager-ref="accessDecisionManager"
use-expressions="true">
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ANONYMOUS')"
requires-channel="http" />
<intercept-url pattern="/login/**" access="hasRole('ROLE_ANONYMOUS')"
requires-channel="${application.secureChannel}" />
<intercept-url pattern="/error/**" access="hasRole('ROLE_ANONYMOUS')"
requires-channel="http" />
<intercept-url pattern="/register/**" access="hasRole('ROLE_ANONYMOUS')"
requires-channel="${application.secureChannel}" />
<intercept-url pattern="/" access="hasRole('ROLE_ANONYMOUS')"
requires-channel="http" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"
requires-channel="http" />
<form-login login-page="/login" login-processing-url="/login/submit"
authentication-failure-url="/login/error" />
<logout logout-url="/logout" />
</http>
回答by Shaun the Sheep
ROLE_ANONYMOUS is the default role assigned to an unauthenticated (anonymous) user when a configuration uses Spring Security's "anonymous authentication" filter . This is enabled by default. However, it is probably clearer if you use the expression isAnonymous()instead, which has the same meaning.
当配置使用 Spring Security 的“匿名身份验证”过滤器时,ROLE_ANONYMOUS 是分配给未经身份验证(匿名)用户的默认角色。这是默认启用的。但是,如果您使用具有相同含义的表达式isAnonymous()可能会更清楚。
ROLE_USER has no meaning unless you assign this role to your users when they are authenticated (you are in charge of loading the roles (authorities) for an authenticated user). It isn't a name that is built in to Spring Security's infrastructure. In the given example, presumably that role is assigned to an authenticated user.
ROLE_USER 没有意义,除非您在用户通过身份验证时将此角色分配给他们(您负责为经过身份验证的用户加载角色(权限))。它不是 Spring Security 基础设施中内置的名称。在给定的示例中,大概该角色已分配给经过身份验证的用户。
回答by Aaron Saunders
ROLE_ANONYMOUS has no user credentials, ROLE_USER has user credentials... has been authenticated.
ROLE_ANONYMOUS 没有用户凭据,ROLE_USER 有用户凭据...已通过身份验证。
this is my interpretation based on the configuration provided
这是我基于提供的配置的解释
