Being new to spring security framework, I wanted to know why do we use @PreAuthorize("permitAll()") with methods ? The documentation says that permitAll always evaluates to true. (http://docs.spring.io/spring-security/site/docs/3.0.x/reference/el-access.html)
Also, I have the below code change. The developer makes change from permitAll() to specific permission check.What is the implication here? Since I am not too sure about how permitAll() works, I am not able to judge the logic behind the code change. It seems to me that the developer adds specific permission checks and he passes null as the authentication object. Could someone explain what is the impact of explicitly passing null as the authentication object? Is it that users who are not authenticated will have access if they have this specific - 'LUONTI' permission on the target object - 'opetussuunnitelma' ?
- @PreAuthorize("permitAll()")
+ @PreAuthorize("hasPermission(null, 'opetussuunnitelma', 'LUONTI')")
OpetussuunnitelmaDto addOpetussuunnitelma(OpetussuunnitelmaDto opetussuunnitelmaDto);
Thanks. Any help much appreciated!
permitAll() does exactly what it says. It allows (permits) any user's (all) session to be authorized to execute that method.
The way spring manages its authentication and authorization means that anyone accessing your site is provided with a session. This session can be anonymous, or authenticated (user's provided some kind of credential and the system has accepted it). Alternatives to permitAll (hasPermission() for example) will usually check the user's authentication to ensure they have some role or group assigned to them before allowing the annotated class/method to be invoked.
If permitAll() is used, it means to explicitly allow any session, anonymous or authenticated, to access the annotated method.
The code change the other developer has made has restricted the given method to something custom. Take a look at this Spring - Expression-Based Access Control