Menu
The Spring 3.1 Security contact example uses a couple of roles in its applicationContext-security.xml:
<intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/index.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/hello.htm" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/switchuser.jsp" access="ROLE_SUPERVISOR"/>
<intercept-url pattern="/j_spring_security_switch_user" access="ROLE_SUPERVISOR"/>
<intercept-url pattern="/**" access="ROLE_USER"/>
Where are these IS_AUTHENTICATED_ANONYMOUSLY, ROLE_SUPERVISOR, ROLE_USER roles defined? Are these default roles create by Spring Security?
278
The Role represents the high-level roles of the user in the system. Each role will have a set of low-level privileges. The Privilege represents a low-level, granular privilege/authority in the system.
The UserDetailsService is a core interface in Spring Security framework, which is used to retrieve the user's authentication and authorization information. This interface is also responsible to provide the User's GrantedAuthority list, which is used to derive our spring security roles and permissions for the user.
The UsernamePasswordAuthenticationToken is an implementation of interface Authentication which extends the interface Principal . Principal is defined in the JSE java. security . UsernamePasswordAuthenticationToken is a concept in Spring Security which implements the Principal interface.
The IS_AUTHENTICATED_ANONYMOUSLY is defined in the AuthenticatedVoter class.
The various ROLE_xxxx have no special meaning.
Spring Security by defaults suggests these roles because they are used in most applications.
However you are free to define and use custom roles (i.e. ROLE_SUPERMAN).
You just have to make sure that the UserDetail returned by your UserDetailService has this ROLE assigned as GrantedAuthority (either from a DB or manually).
Actually ROLE is the prefix. If you want to change it to APP (i.e. APP_ADMIN) you have to define a custom AppVoter:
<bean class="org.springframework.security.vote.RoleVoter">
<property name="rolePrefix" value="APP"/>
</bean>
Roles ROLE_SUPERVISOR, ROLE_USER are defined by us according to our application.
How to create custom roles : How do I use custom roles/authorities in Spring Security?
Refer Tutorial to create custom roles using org.springframework.security.core.userdetails.UserDetailsService
31
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
