java - Spring Security Expression: authenticated vs. isAuthenticated . . . While authenticated is the syntax to access the properties of the SecurityExpressionRoot instance (see this) It will try to invoke the following public property or methods to evaluate the value : authenticated property; getAuthenticated() isAuthenticated() (Only if the evaluated value is boolean) authenticated() You could find such logic in
c# - How does Request. IsAuthenticated work? - Stack Overflow HttpRequest IsAuthenticated will be true when the user making the request has been authenticated Essentially, this property provides the same information as Context User Identity IsAuthenticated At the start of a request, Context User Idenity contains a GenericIdentity with a null username
403 Forbidden vs 401 Unauthorized HTTP responses Forbidden indicates either that the client is RFC2617 authenticated and does not have authorization or that the server does not support RFC2617 for the requested resource Meaning if you have your own roll-your-own login process and never use HTTP Authentication, 403 is always the proper response and 401 should never be used