Using this approach, I had some troubles with the Front-End (Thymeleaf). An example:
admin
(the role is assigned with two privileges read
and write
)user
(the role is assigned with only the read
privilege)In the Front-End I will secure different div
s. If I login with an admin
:
<li sec:authorize="hasRole('admin')">Entry 1</li>
<li sec:authorize="hasAnyRole('admin', 'user')">Entry 2</li>
shows nothing, while
<li sec:authorize="hasAuthority('read')">Entry 3</li>
<li sec:authorize="hasAnyAuthority('read', 'write')">Entry 4</li>
works perfectly.
Now as I am using the role
as container for my privileges
, is there no way to allow access to a div
for a "whole" role
? Do I really have to list all privileges
? Or am I mixing something up here? Thanks.
The main idea is:
user1
with Role 'admin'
with Privilege 'read' / 'write'
user2
with Role 'user'
with Privilege 'read'
And in Thymeleaf:
Showing a div for all users with role admin with
<li sec:authorize="hasRole('ROLE_ADMIN')">Entry 1</li>
and showing div for all uses with privilege write with
<li sec:authorize="hasAuthority('READ_PRIVILEGE')">Entry 1</li>
Is this even possible / 'the way to go?' I mean what is the sense of grouping privileges to a group (role) if I cannot give access to a page for the whole group?
Using Granted Authority vs Role in Spring Security Spring security use the hasRole () and hasAuthority () interchangeably.With Spring security 4, it is more consistent and we should also be consistent with our approach while using the hasRole () and hasAuthority () method. Let’s keep in mind the following simple rules.
There are multiple way to design the spring security roles and permissions but one of the most common and flexible way is to build and roles and privileges module around user groups. As part of any application, put the users in some groups, let’s take the following example for better understanding: A frontend user should go to CUSTOMER Group.
However, a user with the role STAFF can only perform STAFF and USER role actions. Let's create this hierarchy in Spring Security by simply exposing a bean of type RoleHierarchy: As the example shows, we use the ‘ >' symbol in the expression to define the role hierarchy.
This interface is also responsible to provide the User’s GrantedAuthority list, which is used to derive our spring security roles and permissions for the user. Let’s change spring security custom UserDetailsService to return list of GrantedAuthority based on user groups.
Normally, you don't need to include the ROLE_
prefix.
However, when it comes to Thymeleaf, not only do you have to include it, it is also case-sensitive:
<li sec:authorize="hasRole('ROLE_ADMIN')">Admin</li>
<li sec:authorize="hasRole('ROLE_USER')">User</li>
Also, an alternative to ROLE_USER
(granted all authenticated users are given that role by default) would be to use isAuthenticated()
instead, like so:
<li sec:authorize="isAuthenticated()">Authenticated users can see this</li>
If you'd like to see what kind of roles are attributed to the current user, you can add the following to your page:
<span sec:authentication="principal.authorities"></span>
It should render an array of roles upon loading the page, e.g. [ROLE_USER, ROLE_ADMIN]
Reference
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With