All geek questions in one place

Default Roles in Spring Security 3.1

Spring 3.1 example Contact security uses a couple of roles in applicationContext-security.xml :

 <intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY"/> <intercept-url pattern="/index.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY"/> <intercept-url pattern="/hello.htm" access="IS_AUTHENTICATED_ANONYMOUSLY"/> <intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/> <intercept-url pattern="/switchuser.jsp" access="ROLE_SUPERVISOR"/> <intercept-url pattern="/j_spring_security_switch_user" access="ROLE_SUPERVISOR"/> <intercept-url pattern="/**" access="ROLE_USER"/>

Where are these roles IS_AUTHENTICATED_ANONYMOUSLY, ROLE_SUPERVISOR, ROLE_USER defined? Are these default roles created using Spring Security?

+6
source share
2 answers

IS_AUTHENTICATED_ANONYMOUSLY is defined in the AuthenticatedVoter class.
The various ROLE_xxxx are not particularly significant.

Spring Security offers these roles by default because they are used in most applications.
However, you can define and use custom roles (for example, ROLE_SUPERMAN).
You just need to make sure that the UserDetail returned by your UserDetailService has this ROLE assigned as GrantedAuthority (either from the database or manually).

Actually ROLE is a prefix. If you want to change it to APP (i.e. APP_ADMIN), you must define a custom AppVoter :

 <bean class="org.springframework.security.vote.RoleVoter"> <property name="rolePrefix" value="APP"/> </bean>
+13
source

The roles ROLE_SUPERVISOR, ROLE_USER defined by us in accordance with our application.

How to create custom roles: How to use custom roles / permissions in Spring Security?

Consult the Tutorial for creating custom roles using org.springframework.security.core.userdetails.UserDetailsService

+2
source

Source: https://habr.com/ru/post/920953/

More articles:


All Articles