Spring Security's "isAuthenticated()" expression really necessary when used with "hasRole()"?

Question

I need a clarification about Spring Security isAuthenticated() built-in expression.

See here for documentation.

I would like to know whether or not it is really necessary or plain redundant to use isAuthenticated() when the hasRole() expression is also used.

Answer 1

Normally, yes it would be unnecessary. The isAuthenticated() expression's purpose is to allow you to allow access for authenticated users regardless of what roles they have.

Unless you use hasRole() in a contrived way (e.g. by selecting the role assigned to anonymous users), then there's no reason why you would also need to add isAuthenticated(), since only authenticated users will have the roles you assign to them in your application.