What's difference between ROLE_ANONYMOUS and IS_AUTHENTICATED_ANONYMOUSLY

[tony9427]

In acegi security sample tutorial, configuration is

HTML Code:

<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
		<property name="authenticationManager" ref="authenticationManager"/>
		<property name="accessDecisionManager">
			<bean class="org.acegisecurity.vote.AffirmativeBased">
				<property name="allowIfAllAbstainDecisions" value="false"/>
				<property name="decisionVoters">
					<list>
						<bean class="org.acegisecurity.vote.RoleVoter"/>
						<bean class="org.acegisecurity.vote.AuthenticatedVoter"/>
					</list>
				</property>
			</bean>
		</property>
		<property name="objectDefinitionSource">
			<value>
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
				/secure/extreme/**=ROLE_SUPERVISOR
				/secure/**=IS_AUTHENTICATED_REMEMBERED
				/**=IS_AUTHENTICATED_ANONYMOUSLY
			</value>
		</property>
	</bean>

While in acegi-security-sample-contacts-filter, configuration is:

HTML Code:

<property name="objectDefinitionSource">
         <value>
			    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
			    PATTERN_TYPE_APACHE_ANT
			    /index.jsp=ROLE_ANONYMOUS,ROLE_USER
			    /hello.htm=ROLE_ANONYMOUS,ROLE_USER
			    /logoff.jsp=ROLE_ANONYMOUS,ROLE_USER
			    /switchuser.jsp=ROLE_SUPERVISOR
			    /j_acegi_switch_user=ROLE_SUPERVISOR
			    /acegilogin.jsp*=ROLE_ANONYMOUS,ROLE_USER
				/**=ROLE_USER
         </value>
      </property>

What's the difference for ROLE_ANONYMOUS and IS_AUTHENTICATED_ANONYMOUSLY? Where is attribute like IS_AUTHENTICATED_ANONYMOUSLY and PATTERN_TYPE_APACHE_ANT
from?

Thanks in advance!

[karldmoore]

The authentication settings are defined in AuthenticatedVoter. You can find the explaination of what these mean here.

29 /***
30 * <p>Votes if a {@link ConfigAttribute#getAttribute()} of <code>IS_AUTHENTICATED_FULLY</code> or
31 * <code>IS_AUTHENTICATED_REMEMBERED</code> or <code>IS_AUTHENTICATED_ANONYMOUSLY</code> is present. This list is in
32 * order of most strict checking to least strict checking.</p>
33 * <p>The current <code>Authentication</code> will be inspected to determine if the principal has a particular
34 * level of authentication. The "FULLY" authenticated option means the user is authenticated fully (ie {@link
35 * org.acegisecurity.AuthenticationTrustResolver#isAn onymous(Authentication)} is false and {@link
36 * org.acegisecurity.AuthenticationTrustResolver#isRe memberMe(Authentication)} is false. The "REMEMBERED" will grant
37 * access if the principal was either authenticated via remember-me OR is fully authenticated. The "ANONYMOUSLY" will
38 * grant access if the principal was authenticated via remember-me, OR anonymously, OR via full authentication.</p>
39 * <p>All comparisons and prefixes are case sensitive.</p>
40 *
41 * @author Ben Alex
42 * @version $Id: AuthenticatedVoter.java 1496 2006-05-23 13:38:33Z benalex $
43 */

The ROLE_ settings are the roles within the application. The InMemoryDaoImpl states the roles that the user is assigned. In other applications these could be roles defined in a database or groups on active directory potentially etc..... These are used in the RoleVoter.

The Authenticated and Role voters protect the resource determining if the resource should be accessible.

[karldmoore]

Forgot to say the other constants you were after can be found in a class called FilterInvocationDefinitionSourceEditor.

[DanielYWoo]

I still don't know what does IS mean even reader through the guide

[Luke Taylor]

It doesn't mean anything by itself. The Javadoc for AuthenticatedVoter, as Karl posted earlier in this thread lists the three attributes that the voter will respond to. It will ignore anything else.

[DanielYWoo]

Sorry I did not express what I mean, I know the purpose of ROLE_ and IS_, but I don't know what's the abbreviation of IS_ :-)

[Luke Taylor]

"Is". As in "To be or not to be authenticated, that is the question" :-)

[DanielYWoo]

I am such a fool