Granted Authority vs Role in Spring Security

In this article of Spring security, we will look at the significant difference between granted authority vs role in Spring security.This is really important that we understand the difference as this is the building block for Spring security authorization architecture.

Granted Authority vs Role in Spring Security

While working on the Spring security, you will see the terms granted authorities and roles being used frequently. In this article we will inspect the granted authority vs role in spring security and how they are used internally by security framework. Let’s look at each of this individually to understand it better.

1. Granted Authority

To put in simple words, Granted authority in spring security is a “permission” or “right” given to a role. Some example of the granted authorities can be

  1. READ_AUTHORITY
  2. WRITE_AUTHORITY
  3. UPDATE_AUTHORITY
  4. DELETE_AUTHORITY

Above name are examples and do not outline any spring security naming conventions and rules.

Spring security provides the option to use these authorities using the expressions like hasAuthority("DELETE_AUTHORITY"). Spring security internally uses the getAuthority() method to let voters decide if access is granted or not (we will cover voters in our next article). The most common way to provide granted authorities to a user by implementing custom UserDetailsService that build and return the GrantedAuthorities for our application.Here is the default User object return by Spring security including list of GrantedAuthorities.

public User(String username, 
            String password, 
            boolean enabled, 
            boolean accountNonExpired,
            boolean credentialsNonExpired, 
            boolean accountNonLocked, 
            Collection<? extends GrantedAuthority> authorities)

The GrantedAutority objects are application wide permissions and not constraints to the domain objects. So we may not use the GrantedAuthority to represent the permissions to an Employee or Customer. For these kinds of situations, we will use Roles, which is more aligned for defining these kinds of use cases.

2. Roles in Spring Security

Roles can be seen as coarse-grained GrantedAuthorities represented as a String with prefix with “ROLE. We can use a role directly in Spring security application by using hasRole("CUSTOMER"). For few simple applications, you can think of Roles as a GrantedAuthorities.Here are some example for the Spring security Roles.

  1. ROLE_ADMIN
  2. ROLE_MANAGER
  3. ROLE_USER

3. Spring Security Roles as Container

We can also use the roles as container for authorities or privileges. This approach provides flexibility to map roles based on business rules. Let’s take look at few examples to understand it clearly.

  1. User with ROLE_ADMIN role have the authorities to READ,DELETE,WRITE,UPDATE.
  2. A user with role ROLE_USER has authority to READ only.
  3. User with ROLE_MANAGER can perform READ, WRITE and UPDATE operations.

Again, all this can be easily done using a custom UserDetailsService which take care to collect all roles and all operations and make them available by the method getAuthorities().

4. Using Granted Authority vs Role in Spring Security

Spring security use the hasRole() and hasAuthority() interchangeably.With Spring security 4, it is more consistent and we should also be consistent with our approach while using the hasRole() and hasAuthority() method. Let’s keep in mind the following simple rules.

  1. Always add the ROLE_ while using the hasAuthority() method (e.g hasAuthority("ROLE_CUSTOMER")).
  2. While using hasRole(), do not add the ROLE_ prefix as it will be added automatically by Spring security (hasRole("CUSTOMER")).

Summary

In this brief article, we tried to understand the difference between granted authorities vs role in Spring security. We covered the following topics:

  1. What are GrantedAuthorities in Spring security?
  2. What are roles and if they differ from GrantedAuthorities?
  3. How to use the roles and container for the GrantedAuthorities.
  4. How to use hasAuthority() and hasRole() method while working on your spring security application.

As always, the source code for our Spring security course is available on the GitHub repository.