In this article of Spring security, we will look at the significant difference between granted authority vs role in Spring security.This is really important that we understand the difference as this is the building block for Spring security authorization architecture.
Granted Authority vs Role in Spring Security
While working on the Spring security, you will see the terms granted authorities and roles being used frequently. In this article we will inspect the granted authority vs role in spring security and how they are used internally by security framework. Let’s look at each of this individually to understand it better.
1. Granted Authority
To put in simple words, Granted authority in spring security is a “permission” or “right” given to a role. Some example of the granted authorities can be
READ_AUTHORITYWRITE_AUTHORITYUPDATE_AUTHORITYDELETE_AUTHORITY
Above name are examples and do not outline any spring security naming conventions and rules.
Spring security provides the option to use these authorities using the expressions like hasAuthority("DELETE_AUTHORITY"). Spring security internally uses the getAuthority() method to let voters decide if access is granted or not (we will cover voters in our next article). The most common way to provide granted authorities to a user by implementing custom UserDetailsService that build and return the GrantedAuthorities for our application.Here is the default User object return by Spring security including list of GrantedAuthorities.
public User(String username,
String password,
boolean enabled,
boolean accountNonExpired,
boolean credentialsNonExpired,
boolean accountNonLocked,
Collection<? extends GrantedAuthority> authorities)The GrantedAutority objects are application wide permissions and not constraints to the domain objects. So we may not use the GrantedAuthority to represent the permissions to an Employee or Customer. For these kinds of situations, we will use Roles, which is more aligned for defining these kinds of use cases.
2. Roles in Spring Security
Roles can be seen as coarse-grained GrantedAuthorities represented as a String with prefix with “ROLE“. We can use a role directly in Spring security application by using hasRole("CUSTOMER"). For few simple applications, you can think of Roles as a GrantedAuthorities.Here are some example for the Spring security Roles.
- ROLE_ADMIN
- ROLE_MANAGER
- ROLE_USER
3. Spring Security Roles as Container
We can also use the roles as container for authorities or privileges. This approach provides flexibility to map roles based on business rules. Let’s take look at few examples to understand it clearly.
- User with
ROLE_ADMINrole have the authorities toREAD,DELETE,WRITE,UPDATE. - A user with role
ROLE_USERhas authority toREADonly. - User with
ROLE_MANAGERcan performREAD,WRITEandUPDATEoperations.
Again, all this can be easily done using a custom UserDetailsService which take care to collect all roles and all operations and make them available by the method getAuthorities().
4. Using Granted Authority vs Role in Spring Security
Spring security use the hasRole() and hasAuthority() interchangeably.With Spring security 4, it is more consistent and we should also be consistent with our approach while using the hasRole() and hasAuthority() method. Let’s keep in mind the following simple rules.
- Always add the
ROLE_while using thehasAuthority()method (e.ghasAuthority("ROLE_CUSTOMER")). - While using
hasRole(), do not add theROLE_prefix as it will be added automatically by Spring security (hasRole("CUSTOMER")).
Summary
In this brief article, we tried to understand the difference between granted authorities vs role in Spring security. We covered the following topics:
- What are
GrantedAuthoritiesin Spring security? - What are roles and if they differ from
GrantedAuthorities? - How to use the roles and container for the
GrantedAuthorities. - How to use
hasAuthority()andhasRole()method while working on your spring security application.
As always, the source code for our Spring security course is available on the GitHub repository.
