0

I am little bit confused about Roles and Authority in Spring Security.

As per my knowledge in Spring Security,

  1. AUTHORITIES are operations like CREATE, READ, UPDATE, DELETE etc

  2. ROLES are designations like MANAGER, TECH_LEAD, HR etc

So, to use the Roles and Authorities in a Spring Boot project we use the SpEL expression like hasAuthority, hasRole etc.

Also at DB, we should define schema like below:

User table

user_id

user_name

password

Role table

role_id

role_name

Authority table

auth_id

auth_name

user_role mapping table

ur_id

role_id (from role schema)

user_authority maping table

ua_id

authority_id (from authority table)

My queries are:

  1. Whether the db schema defined above is proper or we should use only one of Roles and Authorities?

  2. I see in the examples over internet where Roles are converted into Authorites (Code snippet can be seen below). So, internal to SpringBoot only Authorities taken into consideration ?

    private static Collection<? extends GrantedAuthority> getAuthorities(User user) { String[] userRoles = user.getRoles().stream().map((role) -> role.getName()).toArray(String[]::new); Collection authorities = AuthorityUtils.createAuthorityList(userRoles); return authorities; }

  3. If DB schema provided above is incorrect then how to effectively use both Roles and Authorities in a project

Rajeev
  • 442
  • 1
  • 5
  • 18
  • 1
    Hi, I believe this post nicely explains the 'difference' you are looking for: https://stackoverflow.com/a/19542316/9862795 – GoranLegenda Aug 18 '23 at 13:16

0 Answers0