Spring Security with roles and permissions

by

I’m the author of the article in question.

No doubt there are multiple ways to do it, but the way I typically do it is to implement a custom UserDetails that knows about roles and permissions. Role and Permission are just custom classes that you write. (Nothing fancy–Role has a name and a set of Permission instances, and Permission has a name.) Then the getAuthorities() returns GrantedAuthority objects that look like this:

PERM_CREATE_POST, PERM_UPDATE_POST, PERM_READ_POST

instead of returning things like

ROLE_USER, ROLE_MODERATOR

The roles are still available if your UserDetails implementation has a getRoles() method. (I recommend having one.)

Ideally you assign roles to the user and the associated permissions are filled in automatically. This would involve having a custom UserDetailsService that knows how to perform that mapping, and all it has to do is source the mapping from the database. (See the article for the schema.)

Then you can define your authorization rules in terms of permissions instead of roles.

Hope that helps.

More Related Contents:

  1. How to get active user’s UserDetails
  2. How to fix role in Spring Security?
  3. How To Inject AuthenticationManager using Java Configuration in a Custom Filter
  4. How to manage exceptions thrown in filters in Spring?
  5. How to manually set an authenticated user in Spring Security / SpringMVC
  6. Disable Spring Security for OPTIONS Http Method
  7. Can Spring Security use @PreAuthorize on Spring controllers methods?
  8. HttpSecurity, WebSecurity and AuthenticationManagerBuilder
  9. multiple authentication mechanisms in a single app using java config
  10. Logout/Session timeout catching with spring security
  11. How to get the current logged in user object from spring security?
  12. Customize authentication failure response in Spring Security using AuthenticationFailureHandler
  13. Spring security does not allow CSS or JS resources to be loaded
  14. how to display custom error message in jsp for spring security auth exception
  15. Spring Security 5 : There is no PasswordEncoder mapped for the id “null”
  16. Spring security’s SecurityContextHolder: session or request bound?
  17. Securing Spring Boot API with API key and secret
  18. Spring Security multiple url ruleset not working together
  19. Spring Security HTTP Basic for RESTFul and FormLogin (Cookies) for web – Annotations
  20. Spring security added prefix “ROLE_” to all roles name?
  21. Why this Spring application with java-based configuration don’t work properly
  22. How to test spring-security-oauth2 resource server security?
  23. Spring REST security – Secure different URLs differently
  24. What does Cookie CsrfTokenRepository.withHttpOnlyFalse () do and when to use it?
  25. Single role multiple IP addresses in Spring Security configuration
  26. Spring Security HTTP Basic Authentication
  27. disabling spring security in spring boot app [duplicate]
  28. Disabling a filter for only a few paths
  29. Spring Boot Microservices – Spring Security – ServiceTest and ControllerTest for JUnit throwing java.lang.StackOverflowError
  30. Custom Authentication Manager with Spring Security and Java Configuration

Leave a Comment