Spring Security : difference between ROLE_ANONYMOUS and IS_AUTHENTICATED_ANONYMOUSLY

Question

In Spring Security What's difference between ROLE_ANONYMOUS and IS_AUTHENTICATED_ANONYMOUSLY .

In other words , how are RoleVoter and AuthenticatedVoter different ?

Answer 1

From the relevant section in spring security documentation,

You will often see the ROLE_ANONYMOUS attribute in the above interceptor configuration replaced with IS_AUTHENTICATED_ANONYMOUSLY, which is effectively the same thing when defining access controls. This is an example of the use of the AuthenticatedVoter which we will see in the authorization chapter. It uses an AuthenticationTrustResolver to process this particular configuration attribute and grant access to anonymous users. The AuthenticatedVoter approach is more powerful, since it allows you to differentiate between anonymous, remember-me and fully-authenticated users. If you don't need this functionality though, then you can stick with ROLE_ANONYMOUS, which will be processed by Spring Security's standard RoleVoter.

Also, from Luke's comment on the related jira issue,

The anonymous access issue is partly historical. Anonymous tokens were introduced initially (i.e. ROLE_ANONYMOUS) which would allow you to use a "secure-by-defaul" configurations with specific exceptions. At a later stage the AuthenticatedVoter was introduced to allow you to differentiate between different levels of authentication - anonyous, remember-me and fully-authenticated (i.e. logged in during the current session). I've added an extra bit to the anonymous chapter to explain that they are the same unless you require the extra functionality offered by the AuthenticatedVoter.