Spring security/ authorisation levels

Question

I am using Spring security within my web application, and I am utilising the 2 standard authorisation levels 'ROLE_USER', and 'ROLE_ADMIN'. Is there any possibility that I can add another level?

Yes but how do I define custom ones? – Maff Oct 24 '13 at 05:34 — Maff, Oct 24 '13 at 05:34

score 1 · Accepted Answer · answered Oct 24 '13 at 06:55

Simply add them to your intercept-url tag. For example I have the following configuration:

<security:http auto-config="false" use-expressions="true" access-denied-page="/denied.do"
                   entry-point-ref="authenticationEntryPoint">
    <security:intercept-url pattern="/index.do" access="hasAnyRole('PROGRAM_VIEW', 'PROGRAM_ADMIN')"/>
    <security:intercept-url pattern="/**" access="hasAnyRole('PROGRAM_VIEW', 'PROGRAM_ADMIN)"/>

    <security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/>

    <security:logout invalidate-session="true" logout-success-url="/" logout-url="/logout.do"/>
</security:http>

My additional roles are PROGRAM_VIEW and PROGRAM_ADMIN (I'm not using ROLE_ADMIN and ROLE_USER).

These additional roles are coming from database.

Ok great! Whats happens if I would like to use the tag for example? Can I replace ROLE_ADMIN with my cutom one? — Maff, Oct 24 '13 at 07:25
Yes. Example here: http://docs.spring.io/spring-security/site/docs/3.0.x/reference/taglibs.html (here custom role is "supervisor"). Or take a look at discussion at http://stackoverflow.com/questions/11469211/how-to-use-secauthorize-access-hasroleroles-for-checking-multiple-roles — Ernestas Kardzys, Oct 24 '13 at 10:44

Spring security/ authorisation levels

1 Answers1