Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

I just want to make sure if I get this correctly, so I would be thankful for any response; in my configure-override:

@Override
protected void configure(HttpSecurity http) throws Exception
    http.
        [...]
        permitAll()
        [...]
the permitAll() allows any request, while:
anonymous()
will only grant access for users that are not logged in but
in both cases a HttpSession-Object is created by default.
Is that right?
  
It's generally considered good security practice to adopt a “deny-by-default” where you explicitly specify what is allowed and disallow everything else. Defining what is accessible to unauthenticated users is a similar situation, particularly for web applications. Many sites require that users must be authenticated for anything other than a few URLs (for example the home and login pages). In this case it is easiest to define access configuration attributes for these specific URLs rather than have for every secured resource. Put differently, sometimes it is nice to say ROLE_SOMETHING is required by default and only allow certain exceptions to this rule, such as for login, logout and home pages of an application. You could also omit these pages from the filter chain entirely, thus bypassing the access control checks, but this may be undesirable for other reasons, particularly if the pages behave differently for authenticated users.
  
This is what we mean by anonymous authentication.
  
Note that there is no real conceptual difference between a user who is "anonymously authenticated" and an unauthenticated user. Spring Security’s anonymous authentication just gives you a more convenient way to configure your access-control attributes.
Using the .permitAll() will configure the authorization so that all requests(both from anonymous and logged in users) are allowed on that particular path.
The .anonymous() expression mainly refers to the status of the user(logged in or not).
Basically until a user is "authenticated" it is an "Anonymous user". It is like having a "default role" for everybody.
                Sorry for being late to reply. That makes things clearer but at one point I am still somewhat confused. So 'anonymous()' blocking logged in users from access is the intended behaviour, is that right? I may lack experience in this field but where would that be usefull if it is true? I can imagine that there are situations where I would want to redirect a logged in user (e.g. 'login page' to 'you are already logged in - page' but the default of 403 that I encountered seems somewhat useless.
– Wolfone
                Jul 21, 2018 at 13:04
                @Wolfone As I have already written in the answer, the .anonymous() expressions is mainly intended to determine if a user is logged in or not. As stated in the same documentation: There are other situations where anonymous authentication is useful, such as when an auditing interceptor queries the SecurityContextHolder to identify which principal was responsible for a given operation. Classes can be authored more robustly if they know the SecurityContextHolder always contains an Authentication object, and never null.
– LoolKovsky
                Jul 24, 2018 at 10:59
                @Wolfone you can also check the following link:  Http Security It says that:.anonymous() Allows configuring how an anonymous user is represented. This is automatically applied when used in conjunction with WebSecurityConfigurerAdapter. By default anonymous users will be represented with an AnonymousAuthenticationToken and contain the role "ROLE_ANONYMOUS".
– LoolKovsky
                Jul 24, 2018 at 11:01
                It seems that <intercept-url pattern="/**" access="permitAll()" /> allows both logged in and anonymous users to access, while <intercept-url pattern="/**" access="isAnonymous()" /> only allows anonymous users to access, but not logged in users. I also wonder what the usage of isAnonymous() could be
– Mingtao Sun
                Dec 2, 2019 at 23:15
                @MingtaoSun maybe you have some sort of special pages that should be accessible only if you are not logged in, like a registration formular or a login formular or some sort of questionnaire
– LoolKovsky
                May 28, 2020 at 6:41
        
Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.