According to the Spring Security docs, the expression to check whether a user is authenticated is isAuthenticated()
. So we would do @PreAuthorize("isAuthenticated()")
, for example.
However, according to the official example and confirmed by my own testing, @PreAuthorize("authenticated")
also works.
Is it a Spring Security feature or perhaps simply a Java feature (e.g. authenticated
is the field that backs the getter isAuthenticated()
somewhere) that makes authenticated
work as well?
Advertisement
Answer
The value of the @PreAuthorize
is an SpEL , which according from the docs , it will evaluate against the root object SecurityExpressionRoot
.
isAuthenticated()
is the syntax to invoke isAuthenticated()
on the SecurityExpressionRoot
instance (see this) .
While authenticated
is the syntax to access the properties of the SecurityExpressionRoot
instance (see this). It will try to invoke the following public property or methods to evaluate the value :
authenticated
propertygetAuthenticated()
isAuthenticated()
(Only if the evaluated value is boolean)authenticated()
You could find such logic in the codes at here.