Announcement Announcement Module
No announcement yet.
Permissions in roles Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Permissions in roles

    I want to implement Spring Security in a project but have the following question:

    - If I have a role say USER_ROLE with different attributes like EMPLOYEE, VISITOR, CONTRACTOR which need different privileges based on that attribute how do I implement this in Spring Security without creating a new role for each type.

    Thanks in advance..

  • #2

    I liked the infoQ video from Mike Wiesner:

    He talked about Roles and Rights, but I don't know if it's a feature that will come or it's discarded.

    I used this approach in a project: a User has Roles (USER_ROLE for instance) and each role has rights (EMPLOYEE, VISITOR, CONTRACTOR)

    Then you can implement your own UserDetailsService, creating in your loadUserByUsername a UserDetails with GrantedAuthority based on rights instead of roles.

    You can do something similar if you meant a user has user.employee, user.visitor or user.contractor attributes: build your own UserDetailsService to create Granted authorities as desired.

    Then, you can use EL expressions.

    That would solve your "permissions in roles" question. Alternatively, you can create a hierarchy of users (if one user can only be of one type: EMPLOYEE, VISITOR or CONTRACTOR)

    With that, you can Obtaining information about the current user and take decisions based on that:

    public class CustomUserDetailsServiceImpl implements UserDetailsService {
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException {
    	public UserDetails loadUserByUsername(String username)
    			throws UsernameNotFoundException {
    		Object user = null;// TODO
    		Set<GrantedAuthority> dbAuthsSet = new HashSet<GrantedAuthority>();
    		return new CustomUser(user);
    	public class CustomUser implements UserDetails {
    		Object user;
    		public CustomUser(Object user) {
    			this.user = user;
    		public Collection<? extends GrantedAuthority> getAuthorities() {
    			// TODO convert user.roles to collection of GrantedAuthority
    			return null;
    		public String getPassword() {
    			return user.getPassword();

    Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
    if (principal instanceof CustomUser) {
      CustomUser user = (CustomUser )principal;
      if (user instanceof Employee) {
        Employee employee = (Employee)user;