How can I correctly obtain the list of GrantedAuthority associated to an user using Spring Security?

Question

I am pretty new in Spring Security and I have the following problem trying to retrieve the list of the **GrantedAuthority related to a specific user.

So I have this method that retrive me the connected user (this works fine):

protected CustomUserDetail getUtenteConnesso() {
    return (CustomUserDetail) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
}

Then I am trying to do:

ArrayList<GrantedAuthority> autorizzazioni = (ArrayList<GrantedAuthority>) getUtenteConnesso().getAuthorities();

to retrieve the GrantedAuthority list associated to this user but when I perform this method an exception is thrown.

I think that the problem is that the signature of the getAuthorities() method define into the **org.springframework.security.core.userdetails.User class is:

public Collection<GrantedAuthority> getAuthorities() {
    return authorities;
}

So the method return a generic Collection interface.

I tryed to cast this Collection to into an ArrayList but seems can't work.

What is wrong? What am I missing? How can I solve this issue?

Answer 1

The interface returns a collection, so you cannot cast with ArrayList. You must use Collection:

Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
Collection<GrantedAuthority> authorities = authentication.getAuthorities();

And if you want an arrayList, for instance :

List<GrantedAuthority> listAuthorities = new ArrayList<GrantedAuthority>();
listAuthorities.addAll(authorities);

If you are interested in the internal behaviour of Spring, I detail below. The interface specifies collection (see https://github.com/spring-projects/spring-security/blob/master/core/src/main/java/org/springframework/security/core/Authentication.java line 68):

Collection<? extends GrantedAuthority> getAuthorities();

Default abstract implementation uses ArrayList internally, but returns a Collection anyway (see https://github.com/spring-projects/spring-security/blob/master/core/src/main/java/org/springframework/security/authentication/AbstractAuthenticationToken.java lines 67-70):

    private final Collection<GrantedAuthority> authorities;
    ...
    ArrayList<GrantedAuthority> temp = new ArrayList<GrantedAuthority>(
            authorities.size());
    temp.addAll(authorities);
    this.authorities = Collections.unmodifiableList(temp);

The reason why is detailed in the Authentication interface javadoc : "Implementations should ensure that modifications to the returned collection array do not affect the state of the Authentication object, or use an unmodifiable instance."

That is why you cannot cast. A commentary suggested to create a new ArrayList and add all Authorities in it, if you really want a List.