In this article of Spring security, we will look at the significant difference between granted authority vs role in Spring security.This is really important that we understand the difference as this is the building block for Spring security authorization architecture.
Granted Authority vs Role in Spring Security
While working on the Spring security, you will see the terms granted authorities and roles being used frequently. In this article we will inspect the granted authority vs role in spring security and how they are used internally by security framework. Let’s look at each of this individually to understand it better.
1. Granted Authority
To put in simple words, Granted authority in spring security is a “permission” or “right” given to a role. Some example of the granted authorities can be
Above name are examples and do not outline any spring security naming conventions and rules.
Spring security provides the option to use these authorities using the expressions like
hasAuthority("DELETE_AUTHORITY"). Spring security internally uses the
getAuthority() method to let voters decide if access is granted or not (we will cover voters in our next article). The most common way to provide granted authorities to a user by implementing custom UserDetailsService that build and return the
GrantedAuthorities for our application.Here is the default
User object return by Spring security including list of
public User(String username, String password, boolean enabled, boolean accountNonExpired, boolean credentialsNonExpired, boolean accountNonLocked, Collection<? extends GrantedAuthority> authorities)
GrantedAutority objects are application wide permissions and not constraints to the domain objects. So we may not use the
GrantedAuthority to represent the permissions to an Employee or Customer. For these kinds of situations, we will use Roles, which is more aligned for defining these kinds of use cases.
2. Roles in Spring Security
Roles can be seen as coarse-grained GrantedAuthorities represented as a String with prefix with “
ROLE“. We can use a role directly in Spring security application by using
hasRole("CUSTOMER"). For few simple applications, you can think of Roles as a GrantedAuthorities.Here are some example for the Spring security Roles.
3. Spring Security Roles as Container
We can also use the roles as container for authorities or privileges. This approach provides flexibility to map roles based on business rules. Let’s take look at few examples to understand it clearly.
- User with
ROLE_ADMINrole have the authorities to
- A user with role
ROLE_USERhas authority to
- User with
Again, all this can be easily done using a custom UserDetailsService which take care to collect all roles and all operations and make them available by the method
4. Using Granted Authority vs Role in Spring Security
Spring security use the
hasAuthority() interchangeably.With Spring security 4, it is more consistent and we should also be consistent with our approach while using the
hasAuthority() method. Let’s keep in mind the following simple rules.
- Always add the
ROLE_while using the
- While using
hasRole(), do not add the
ROLE_prefix as it will be added automatically by Spring security (
In this brief article, we tried to understand the difference between granted authorities vs role in Spring security. We covered the following topics:
- What are
GrantedAuthoritiesin Spring security?
- What are roles and if they differ from
- How to use the roles and container for the
- How to use
hasRole()method while working on your spring security application.
As always, the source code for our Spring security course is available on the GitHub repository.