What is the difference between ROLE_USER and ROLE_ANONYMOUS in a Spring intercept url configuration?
What is the difference between ROLE_USER and ROLE_ANONYMOUS in a Spring intercept url configuration such as the example below?
<http auto-config="false" access-decision-manager-ref="accessDecisionManager"
use-expressions="true">
<intercept-url pattern="/admin/**" access="hasRole('ROLE_ANONYMOUS')"
requires-channel="http" />
<intercept-url pattern="/login/**" access="hasRole('ROLE_ANONYMOUS')"
requires-channel="${application.secureChannel}" />
<intercept-url pattern="/error/**" access="hasRole('ROLE_ANONYMOUS')"
requires-channel="http" />
<intercept-url pattern="/register/**" access="hasRole('ROLE_ANONYMOUS')"
requires-channel="${application.secureChannel}" />
<intercept-url pattern="/" access="hasRole('ROLE_ANONYMOUS')"
requires-channel="http" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"
requires-channel="http" />
<form-login login-page="/login" login-processing-url="/login/submit"
authentication-failure-url="/login/error" />
<logout logout-url="/logout" />
</http>
Answer
ROLE_ANONYMOUS is the default role assigned to an unauthenticated (anonymous) user when a configuration uses Spring Security's "anonymous authentication" filter . This is enabled by default. However, it is probably clearer if you use the expression isAnonymous() instead, which has the same meaning.
ROLE_USER has no meaning unless you assign this role to your users when they are authenticated (you are in charge of loading the roles (authorities) for an authenticated user). It isn't a name that is built in to Spring Security's infrastructure. In the given example, presumably that role is assigned to an authenticated user.