The problem

The role IS_AUTHENTICATED_ANONYMOUSLY is both awfully long and confusing for newcomers.

The first problem is that we usually explain to newcomers: "roles always start with ROLE_" and then we tell them "the role IS_AUTHENTICATED_ANONYMOUSLY ...". What !?

The second problem is that the name itself is very confusing at first:

• OK, let's say that I'm authenticated. Then, why am I anonymous?
• Let's try to figure it out backwards --> OK, let's say I'm anonymous. Then, how can I be authenticated? When and how do I authenticate if I'm anonymous?

The solution

Introduce a new ROLE_ANONYMOUS which is effectively a shortcut for IS_AUTHENTICATED_ANONYMOUSLY. With this new role, most of the problems instantly vanish: OK, ROLE_ANONYMOUS ... that's a role, and it means that the user is anonymous. I can definitely understand that!

Oddly enough, Spring framework, from which Symfony copied all these concepts, has suffered the same problem but in reverse: they started with ROLE_ANONYMOUS and then they included IS_AUTHENTICATED_ANONYMOUSLY. You can read the following in their Anonymous authentication documentation:

You will often see the ROLE_ANONYMOUS attribute in the above interceptor configuration replaced with IS_AUTHENTICATED_ANONYMOUSLY, which is effectively the same thing when defining access controls. This is an example of the use of the AuthenticatedVoter which we will see in the authorization chapter. It uses an AuthenticationTrustResolver to process this particular configuration attribute and grant access to anonymous users. The AuthenticatedVoter approach is more powerful, since it allows you to differentiate between anonymous, remember-me and fully-authenticated users. If you don't need this functionality though, then you can stick with ROLE_ANONYMOUS, which will be processed by Spring Security's standard RoleVoter.