According to the Spring Security docs, the expression to check whether a user is authenticated is isAuthenticated(). So we would do @PreAuthorize("isAuthenticated()"), for example.
However, according to the official example and confirmed by my own testing, @PreAuthorize("authenticated") also works.
Is it a Spring Security feature or perhaps simply a Java feature (e.g. authenticated is the field that backs the getter isAuthenticated() somewhere) that makes authenticated work as well?
Advertisement
Answer
The value of the @PreAuthorize is an SpEL , which according from the docs , it will evaluate against the root object SecurityExpressionRoot.
isAuthenticated() is the syntax to invoke isAuthenticated() on the SecurityExpressionRoot instance (see this) .
While authenticated is the syntax to access the properties of the SecurityExpressionRoot instance (see this). It will try to invoke the following public property or methods to evaluate the value :
authenticatedpropertygetAuthenticated()isAuthenticated()(Only if the evaluated value is boolean)authenticated()
You could find such logic in the codes at here.