Spring拦截url配置中ROLE_USER和ROLE_ANONYMOUS有什么区别?
Spring 拦截 url 配置中的 ROLE_USER 和 ROLE_ANONYMOUS 有什么区别,如下例所示?
<http auto-config="false" access-decision-manager-ref="accessDecisionManager"
use-expressions="true">
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ANONYMOUS')"
requires-channel="http" />
<intercept-url pattern="/login/**" access="hasRole('ROLE_ANONYMOUS')"
requires-channel="${application.secureChannel}" />
<intercept-url pattern="/error/**" access="hasRole('ROLE_ANONYMOUS')"
requires-channel="http" />
<intercept-url pattern="/register/**" access="hasRole('ROLE_ANONYMOUS')"
requires-channel="${application.secureChannel}" />
<intercept-url pattern="/" access="hasRole('ROLE_ANONYMOUS')"
requires-channel="http" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"
requires-channel="http" />
<form-login login-page="/login" login-processing-url="/login/submit"
authentication-failure-url="/login/error" />
<logout logout-url="/logout" />
</http>
What is the difference between ROLE_USER and ROLE_ANONYMOUS in a Spring intercept url configuration such as the example below?
<http auto-config="false" access-decision-manager-ref="accessDecisionManager"
use-expressions="true">
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ANONYMOUS')"
requires-channel="http" />
<intercept-url pattern="/login/**" access="hasRole('ROLE_ANONYMOUS')"
requires-channel="${application.secureChannel}" />
<intercept-url pattern="/error/**" access="hasRole('ROLE_ANONYMOUS')"
requires-channel="http" />
<intercept-url pattern="/register/**" access="hasRole('ROLE_ANONYMOUS')"
requires-channel="${application.secureChannel}" />
<intercept-url pattern="/" access="hasRole('ROLE_ANONYMOUS')"
requires-channel="http" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"
requires-channel="http" />
<form-login login-page="/login" login-processing-url="/login/submit"
authentication-failure-url="/login/error" />
<logout logout-url="/logout" />
</http>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
ROLE_ANONYMOUS 是当配置使用 Spring Security 的 "匿名身份验证"过滤器。默认情况下启用此功能。然而,如果您使用表达式 isAnonymous() 来代替,它可能会更清楚,它具有相同的含义。
ROLE_USER 没有任何意义,除非您在用户经过身份验证时将此角色分配给他们(您负责为经过身份验证的用户加载角色(权限))。它不是内置于 Spring Security 基础设施中的名称。在给定的示例中,假设该角色已分配给经过身份验证的用户。
ROLE_ANONYMOUS is the default role assigned to an unauthenticated (anonymous) user when a configuration uses Spring Security's "anonymous authentication" filter . This is enabled by default. However, it is probably clearer if you use the expression isAnonymous() instead, which has the same meaning.
ROLE_USER has no meaning unless you assign this role to your users when they are authenticated (you are in charge of loading the roles (authorities) for an authenticated user). It isn't a name that is built in to Spring Security's infrastructure. In the given example, presumably that role is assigned to an authenticated user.
ROLE_ANONYMOUS 没有用户凭据,ROLE_USER 有用户凭据...已通过身份验证。
这是我根据提供的配置的解释
ROLE_ANONYMOUS has no user credentials, ROLE_USER has user credentials... has been authenticated.
this is my interpretation based on the configuration provided