According to the Spring Security docs, the expression to check whether a user is authenticated is
isAuthenticated(). So we would do
@PreAuthorize("isAuthenticated()"), for example.
However, according to the official example and confirmed by my own testing,
@PreAuthorize("authenticated") also works.
Is it a Spring Security feature or perhaps simply a Java feature (e.g.
authenticated is the field that backs the getter
isAuthenticated() somewhere) that makes
authenticated work as well?
The value of the
@PreAuthorize is an SpEL , which according from the docs , it will evaluate against the root object
isAuthenticated() is the syntax to invoke
isAuthenticated() on the
SecurityExpressionRoot instance (see this) .
authenticated is the syntax to access the properties of the
SecurityExpressionRoot instance (see this). It will try to invoke the following public property or methods to evaluate the value :
isAuthenticated()(Only if the evaluated value is boolean)
You could find such logic in the codes at here.