Spring拦截url配置中ROLE_USER和ROLE_ANONYMOUS有什么区别?

发布于 2024-09-13 13:38:48 字数 1113 浏览 9 评论 0原文

Spring 拦截 url 配置中的 ROLE_USER 和 ROLE_ANONYMOUS 有什么区别,如下例所示?

<http auto-config="false" access-decision-manager-ref="accessDecisionManager"
    use-expressions="true">
    <intercept-url pattern="/admin/**" access="hasRole('ROLE_ANONYMOUS')"
        requires-channel="http" />
    <intercept-url pattern="/login/**" access="hasRole('ROLE_ANONYMOUS')"
        requires-channel="${application.secureChannel}" />
    <intercept-url pattern="/error/**" access="hasRole('ROLE_ANONYMOUS')"
        requires-channel="http" />
    <intercept-url pattern="/register/**" access="hasRole('ROLE_ANONYMOUS')"
        requires-channel="${application.secureChannel}" />
    <intercept-url pattern="/" access="hasRole('ROLE_ANONYMOUS')"
        requires-channel="http" />
    <intercept-url pattern="/**" access="hasRole('ROLE_USER')"
        requires-channel="http" />
    <form-login login-page="/login" login-processing-url="/login/submit"
        authentication-failure-url="/login/error" />
    <logout logout-url="/logout" />
</http>

What is the difference between ROLE_USER and ROLE_ANONYMOUS in a Spring intercept url configuration such as the example below?

<http auto-config="false" access-decision-manager-ref="accessDecisionManager"
    use-expressions="true">
    <intercept-url pattern="/admin/**" access="hasRole('ROLE_ANONYMOUS')"
        requires-channel="http" />
    <intercept-url pattern="/login/**" access="hasRole('ROLE_ANONYMOUS')"
        requires-channel="${application.secureChannel}" />
    <intercept-url pattern="/error/**" access="hasRole('ROLE_ANONYMOUS')"
        requires-channel="http" />
    <intercept-url pattern="/register/**" access="hasRole('ROLE_ANONYMOUS')"
        requires-channel="${application.secureChannel}" />
    <intercept-url pattern="/" access="hasRole('ROLE_ANONYMOUS')"
        requires-channel="http" />
    <intercept-url pattern="/**" access="hasRole('ROLE_USER')"
        requires-channel="http" />
    <form-login login-page="/login" login-processing-url="/login/submit"
        authentication-failure-url="/login/error" />
    <logout logout-url="/logout" />
</http>

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

拥抱我好吗 2024-09-20 13:38:48

ROLE_ANONYMOUS 是当配置使用 Spring Security 的 "匿名身份验证"过滤器。默认情况下启用此功能。然而,如果您使用表达式 isAnonymous() 来代替,它可能会更清楚,它具有相同的含义。

ROLE_USER 没有任何意义,除非您在用户经过身份验证时将此角色分配给他们(您负责为经过身份验证的用户加载角色(权限))。它不是内置于 Spring Security 基础设施中的名称。在给定的示例中,假设该角色已分配给经过身份验证的用户。

ROLE_ANONYMOUS is the default role assigned to an unauthenticated (anonymous) user when a configuration uses Spring Security's "anonymous authentication" filter . This is enabled by default. However, it is probably clearer if you use the expression isAnonymous() instead, which has the same meaning.

ROLE_USER has no meaning unless you assign this role to your users when they are authenticated (you are in charge of loading the roles (authorities) for an authenticated user). It isn't a name that is built in to Spring Security's infrastructure. In the given example, presumably that role is assigned to an authenticated user.

痞味浪人 2024-09-20 13:38:48

ROLE_ANONYMOUS 没有用户凭据,ROLE_USER 有用户凭据...已通过身份验证。

这是我根据提供的配置的解释

ROLE_ANONYMOUS has no user credentials, ROLE_USER has user credentials... has been authenticated.

this is my interpretation based on the configuration provided

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文