Purpose of using permitAll() in PreAuthorize annotation in Spring Security

Question

Being new to spring security framework, I wanted to know why do we use @PreAuthorize("permitAll()") with methods ? The documentation says that permitAll always evaluates to true. (http://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html)

Also, I have the below code change. The developer makes change from permitAll() to specific permission check.What is the implication here? Since I am not too sure about how permitAll() works, I am not able to judge the logic behind the code change. It seems to me that the developer adds specific permission checks and he passes null as the authentication object. Could someone explain what is the impact of explicitly passing null as the authentication object? Is it that users who are not authenticated will have access if they have this specific - 'LUONTI' permission on the target object - 'opetussuunnitelma' ?

-    @PreAuthorize("permitAll()")
+    @PreAuthorize("hasPermission(null, 'opetussuunnitelma', 'LUONTI')")
     OpetussuunnitelmaDto addOpetussuunnitelma(OpetussuunnitelmaDto opetussuunnitelmaDto);

Thanks. Any help much appreciated!

Answer 1

permitAll() does exactly what it says. It allows (permits) any user's (all) session to be authorized to execute that method.

The way spring manages its authentication and authorization means that anyone accessing your site is provided with a session. This session can be anonymous, or authenticated (user's provided some kind of credential and the system has accepted it). Alternatives to permitAll (hasPermission() for example) will usually check the user's authentication to ensure they have some role or group assigned to them before allowing the annotated class/method to be invoked.

If permitAll() is used, it means to explicitly allow any session, anonymous or authenticated, to access the annotated method.

The code change the other developer has made has restricted the given method to something custom. Take a look at this Spring - Expression-Based Access Control

Answer 2

I feel like nobody really gave you what you really wanted, which is a use case for "permitAll()".

It can be used when you restrict your whole class or application with a certain permission, for example : @PreAuthorize("hasAuthority('USER')")

Here, only the clients identified as what you defined to be a user can have access to the methods of your class.

But at some point in your controller you want a certain method to be permissionless, so you'll add @PreAuthorize("permitAll()") to your method so that it override the global permission.

People will do this because it's safer to first secure everything with the highest permission lock and then poke holes in the net (e.g, the application/class is locked to ADMIN but most methods are then authorized to USER) than the other way around. Because if everything is unlocked by default, the day you forget to lock a controller you could have security problems.