Spring security issue: Introducing more roles in security application

Question

I am applying security to my MVC application and I am now working for the roles and their implementation all are going ok. And I am following this tutorial. The Role.java is as bellow:

package com.heraclitus.domain;
public enum Role {

    ADMIN_ROLE("ROLE_ADMIN", 1), USER_ROLE("ROLE_USER", 0);

    private final int order;
    private final String roleName;

    private Role(final String roleName, final int order) {
        this.roleName = roleName;
        this.order = order;
    }

    public int order() {
        return order;
    }

    public String roleName() {
        return roleName;
    }
}

Can some body explain me what is the value 1 and 0 in both roles ADMIN_ROLE("ROLE_ADMIN", 1), USER_ROLE("ROLE_USER", 0); This is when I have one Admin role which also contain user role and one user role. What if I have more that 2 roles for admin role e.g. Admin, supervisor, user etc..? what will be the # in admin role will be?

Another question is that in applicationContext-security.xml

<authentication-provider>
        <user-service id="userDetailsService">
            <user name="admin" password="admin" authorities="ROLE_USER, ROLE_ADMIN" />
            <user name="username" password="password" authorities="ROLE_USER" />
            <user name="test" password="test" authorities="ROLE_USER" />
        </user-service>
    </authentication-provider>

Now if I want to add more users e.g. 1.Admin, 2.Supervisor, 3.Accountant, etc and admin has all rights for all users (supervisor, accountant, etc) what should I use? what is the best way? Thank you

Answer 1

For me, the best way of handling users and roles with spring security is using a database (you can use a properties file if you prefer).

Check point 2.2.3: http://static.springsource.org/spring-security/site/docs/3.0.x/reference/ns-config.html