Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Default roles in Spring Security 3.1

The Spring 3.1 Security contact example uses a couple of roles in its applicationContext-security.xml:

<intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/index.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/hello.htm" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/switchuser.jsp" access="ROLE_SUPERVISOR"/>
<intercept-url pattern="/j_spring_security_switch_user" access="ROLE_SUPERVISOR"/>
<intercept-url pattern="/**" access="ROLE_USER"/>

Where are these IS_AUTHENTICATED_ANONYMOUSLY, ROLE_SUPERVISOR, ROLE_USER roles defined? Are these default roles create by Spring Security?

like image 278
Jérôme Verstrynge Avatar asked Jul 20 '12 10:07

Jérôme Verstrynge


People also ask

What are roles in Spring Security?

The Role represents the high-level roles of the user in the system. Each role will have a set of low-level privileges. The Privilege represents a low-level, granular privilege/authority in the system.

Which class in Spring Security framework is used to define role?

The UserDetailsService is a core interface in Spring Security framework, which is used to retrieve the user's authentication and authorization information. This interface is also responsible to provide the User's GrantedAuthority list, which is used to derive our spring security roles and permissions for the user.

What is UsernamePasswordAuthenticationToken Spring Security?

The UsernamePasswordAuthenticationToken is an implementation of interface Authentication which extends the interface Principal . Principal is defined in the JSE java. security . UsernamePasswordAuthenticationToken is a concept in Spring Security which implements the Principal interface.


2 Answers

The IS_AUTHENTICATED_ANONYMOUSLY is defined in the AuthenticatedVoter class.
The various ROLE_xxxx have no special meaning.

Spring Security by defaults suggests these roles because they are used in most applications.
However you are free to define and use custom roles (i.e. ROLE_SUPERMAN).
You just have to make sure that the UserDetail returned by your UserDetailService has this ROLE assigned as GrantedAuthority (either from a DB or manually).

Actually ROLE is the prefix. If you want to change it to APP (i.e. APP_ADMIN) you have to define a custom AppVoter:

<bean class="org.springframework.security.vote.RoleVoter">
  <property name="rolePrefix" value="APP"/>
</bean>
like image 183
Ümit Avatar answered Sep 23 '22 11:09

Ümit


Roles ROLE_SUPERVISOR, ROLE_USER are defined by us according to our application.

How to create custom roles : How do I use custom roles/authorities in Spring Security?

Refer Tutorial to create custom roles using org.springframework.security.core.userdetails.UserDetailsService

like image 31
Nandkumar Tekale Avatar answered Sep 21 '22 11:09

Nandkumar Tekale