CODEWITHSUNDEEP
javaspringspring-mvcspring-security
Meriton Husaj
Meriton Husaj

Reputation: 249

Spring Security - UserRole or UserAuthentication

I'm trying to learn Spring security.

After going through some tutorial, I found that some of them use UserRole(s), while some use an UserAuthentication class that implements Authentication. The one I tried to implement (and works) is to create a custom MyUserDetailsService that implements UserDetailsService, and grants authorities(roles?) like this : 

private List<GrantedAuthority> buildUserAuthority(Set<UserRole> userRoles) {
        Set<GrantedAuthority> setAuths = new HashSet<GrantedAuthority>();

        // Build user's authorities
        for (UserRole userRole : userRoles) {
            setAuths.add(new SimpleGrantedAuthority(userRole.getRole()));
        }

        List<GrantedAuthority> Result = new ArrayList<GrantedAuthority>(setAuths);

        return Result;
    }

I want to know what's the difference between User Roles and GrantedAuthorities(for example while using @PreAuthorize(hasRole...) vs @PreAuthorize(hasAuthority...)), and if they do the same thing, why both exists? Or advantages of using one compared to another.

Upvotes: 1

Views: 816

Answers (1)

Jacob Briscoe
Jacob Briscoe

Reputation: 252

Regarding your comment about "some are using UserRole while others use UserAuthentication", these are really two different concepts -- UserRole is for user authorization and the other is for user authentication. Why one is used over the other is merely a matter of various circumstances implementing a solution to authenticate and authorize users. Authentication is for determining whether or not a user who she says she is and authorization is whether or not she may actually perform a request. I may be way off regarding your tutorial, since I've not seen it but I hope that helps you understand the two different concepts being mentioned in it and why they are complimenting concepts not competing.

Regarding the direction you are going with your implementation, I think you're on the right track with your custom details service, I've done this countless time in the past and it has worked well. Regarding your question about User Roles and GrantedAuthority -- I think it's safe to think about GrantedAuthority as an abstraction allowing you the ability to provide custom string tokens for identifying/classifying some user/system/etc. in a group. Which is basically a UserRole too right? I'm not a Spring security contributor but my guess is that GrantedAuthority was created to simply abstract the concept of roles within their security domain context.

By placing your role string into GrantedAuthority you are saying that an authenticated user has the following authorities -- roles, you could say. @PreAuthorize takes an EL string, which is can match one of the strings in an authenticated user's granted authorities collection if the user is 'granted'. If the user isn't granted an authority/role then she doesn't have the ability to perform the request. For what you are asking, the concepts are the same.

From the Spring docs:

 @PreAuthorize("hasRole('ROLE_USER')")
  public void create(Contact contact);

Also, this page is helpful (see: 15.3 Method Security Expressions): Spring Expressions

I hope this helps.

Upvotes: 2

Related Questions