Skip to content

Spring Security Expression: “authenticated” vs. “isAuthenticated()”

According to the Spring Security docs, the expression to check whether a user is authenticated is isAuthenticated(). So we would do @PreAuthorize("isAuthenticated()"), for example.

However, according to the official example and confirmed by my own testing, @PreAuthorize("authenticated") also works.

Is it a Spring Security feature or perhaps simply a Java feature (e.g. authenticated is the field that backs the getter isAuthenticated() somewhere) that makes authenticated work as well?



The value of the @PreAuthorize is an SpEL , which according from the docs , it will evaluate against the root object SecurityExpressionRoot.

isAuthenticated() is the syntax to invoke isAuthenticated() on the SecurityExpressionRoot instance (see this) .

While authenticated is the syntax to access the properties of the SecurityExpressionRoot instance (see this). It will try to invoke the following public property or methods to evaluate the value :

  • authenticated property
  • getAuthenticated()
  • isAuthenticated() (Only if the evaluated value is boolean)
  • authenticated()

You could find such logic in the codes at here.