The Spring 3.1 Security contact
example uses a couple of roles in its applicationContext-security.xml
:
<intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/index.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/hello.htm" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/switchuser.jsp" access="ROLE_SUPERVISOR"/>
<intercept-url pattern="/j_spring_security_switch_user" access="ROLE_SUPERVISOR"/>
<intercept-url pattern="/**" access="ROLE_USER"/>
Where are these IS_AUTHENTICATED_ANONYMOUSLY, ROLE_SUPERVISOR, ROLE_USER roles defined? Are these default roles create by Spring Security?
The Role represents the high-level roles of the user in the system. Each role will have a set of low-level privileges. The Privilege represents a low-level, granular privilege/authority in the system.
The UserDetailsService is a core interface in Spring Security framework, which is used to retrieve the user's authentication and authorization information. This interface is also responsible to provide the User's GrantedAuthority list, which is used to derive our spring security roles and permissions for the user.
The UsernamePasswordAuthenticationToken is an implementation of interface Authentication which extends the interface Principal . Principal is defined in the JSE java. security . UsernamePasswordAuthenticationToken is a concept in Spring Security which implements the Principal interface.
The IS_AUTHENTICATED_ANONYMOUSLY is defined in the AuthenticatedVoter class.
The various ROLE_xxxx have no special meaning.
Spring Security by defaults suggests these roles because they are used in most applications.
However you are free to define and use custom roles (i.e. ROLE_SUPERMAN).
You just have to make sure that the UserDetail
returned by your UserDetailService
has this ROLE
assigned as GrantedAuthority
(either from a DB or manually).
Actually ROLE is the prefix. If you want to change it to APP (i.e. APP_ADMIN) you have to define a custom AppVoter
:
<bean class="org.springframework.security.vote.RoleVoter">
<property name="rolePrefix" value="APP"/>
</bean>
Roles ROLE_SUPERVISOR, ROLE_USER
are defined by us according to our application.
How to create custom roles : How do I use custom roles/authorities in Spring Security?
Refer Tutorial to create custom roles using org.springframework.security.core.userdetails.UserDetailsService
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With