Spring security @notation for IS_AUTHENTICATED_FULLY?

I am simply trying to allow a user access to a method if they are authenticated, but nothing I am doing seems to work. Is there a way to just check if the user has been authenticated? The following still denies the user even when authenticated... Is there a built in role for an authenticated user?

@RequestMapping("/secure")
@PreAuthorize("hasRole('IS_AUTHENTICATED_FULLY')")
public String secure(ModelMap map){
    re开发者_如何学Cturn("secure");
}

IS_AUTHENTICATED_FULLY is not a role - it is a pre-defined credential (aka 'magic' string) recognized by the AuthenticatedVoter to indicate that you have logged in. This voter also supports anonymous and remember-me login.

Roles are processed by the RoleVoter which recognizes any sting starting with "ROLE_" (prefix is configurable). Thus hasRole('IS_AUTHENTICATED_FULLY') doesn't work because it's not a role. @RolesAllowed("IS_AUTHENTICATED_FULLY") wouldn't work for the same reason.

When using Spring expression language, the correct expression is:

 @PreAuthorize("isAuthenticated()")

Alternatively, you can use:

 @Secured("IS_AUTHENTICATED_FULLY")

No custom classes are required - both voters are enabled by default.

hasRole('ROLE_USER') is the traditional name for any user who is authenticated. You would typically use ROLE_ANONYMOUS for parts where you don't care if the person is authenticated or not.

(Added later:)

I think you will need to implement a custom AccessDecisionVoter that will always vote ACCESS_GRANTED whenever the parameter authentication has isAuthenticated() true, and the CONFIG_ATTRIBUTE is ROLE_USER or similar.

There is further discussion of this in this forum discussion, giving details of a web.xml and other config.

In your custom UserDetailService implementation just add the Role "IS_AUTHENTICATED_FULLY" to the User object before it's returned.

This is what I have ended up using:

@PreAuthorize("isAuthenticated()")

this should work:

@PreAuthorize("isFullyAuthenticated()")