首先,看一下Security中一些可选的表达式
permitAll 永远返回true
denyAll 永远返回false
anonymous 当前用户是anonymous时返回true
rememberMe 当前用户是rememberMe用户时返回true
authenticated 当前用户不是anonymous时返回true
fullAuthenticated 当前用户既不是anonymous也不是rememberMe用户时返回true
hasRole(role) 用户拥有指定的角色权限时返回true
hasAnyRole([role1,role2]) 用户拥有任意一个指定的角色权限时返回true
hasAuthority(authority) 用户拥有指定的权限时返回true
hasAnyAuthority([authority1,authority2]) 用户拥有任意一个指定的权限时返回true
hasIpAddress('192.168.1.0') 请求发送的Ip匹配时返回true
实际使用Security过程中,明显的感觉到,角色和权限的概念似乎非常模糊,调用授权的接口时,把角色传递进去也是对的。
如果没有角色和权限的区别,只需要hasRole()函数就够了, hasAuthority()是做什么用的?
答:区别就是,hasRole()的权限名称需要用 "ROLE_" 开头,而hasAuthority()不需要,而且,这就是全部的区别。
这样设计的意义
判断 “用户是不是管理员”和判断 “是否拥有管理员权限”,代码逻辑上是完全一致的,就是判断授权码是否一致,因此,不需要设计两套代码分开实现。
只考虑权限实现,我们可以将角色视为权限的一种,但是,在实际业务中,这可能让逻辑变得不好理解,将二者进行区分,方便开发者从不同的维度去设计。
Spring Security3 到 Spring Security4 的迁移文档:
http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-jc.html#m3to4-role-prefixing
S.O. (Stack Overflow)网站对这个问题的描述:
https://stackoverflow.com/questions/19525380/difference-between-role-and-grantedauthority-in-spring-security
Think of a GrantedAuthority as being a "permission" or a "right". Those "permissions" are (normally) expressed as strings (with the getAuthority() method). Those strings let you identify the permissions and let your voters decide if they grant access to something.
You can grant different GrantedAuthoritys (permissions) to users by putting them into the security context. You normally do that by implementing your own UserDetailsService that returns a UserDetails implementation that returns the needed GrantedAuthorities.
Roles (as they are used in many examples) are just "permissions" with a naming convention that says that a role is a GrantedAuthority that starts with the prefix ROLE_. There's nothing more. A role is just a GrantedAuthority - a "permission" - a "right". You see a lot of places in spring security where the role with its ROLE_ prefix is handled specially as e.g. in the RoleVoter, where the ROLE_ prefix is used as a default. This allows you to provide the role names withtout the ROLE_ prefix. Prior to Spring security 4, this special handling of "roles" has not been followed very consistently and authorities and roles were often treated the same (as you e.g. can see in the implementation of the hasAuthority() method in SecurityExpressionRoot - which simply calls hasRole()). With Spring Security 4, the treatment of roles is more consistent and code that deals with "roles" (like the RoleVoter, the hasRole expression etc.) always adds the ROLE_ prefix for you. So hasAuthority('ROLE_ADMIN') means the the same as hasRole('ADMIN') because the ROLE_ prefix gets added automatically. See the spring security 3 to 4 migration guide for futher information.