There are concepts and implementations in Spring Security, such as the GrantedAuthority interface to get an authority to authorize/control an access.
I would like that to permissible operations, such as createSubUsers, or deleteAccounts, which I would allow to an admin (with role ROLE_ADMIN).
I am getting confused as the tutorials/demos I see online. I try to connect what I read, but I think we treat the two interchangeably.
I see hasRole consuming a GrantedAuthority string? I most definitely am doing it wrong in understanding. What are these conceptually in Spring Security?
How do I store the role of a user, separate from the authorities for that role?
I’m also looking at the org.springframework.security.core.userdetails.UserDetails interface which is used in the authentication-provider referenced DAO, which consumes a User (note last GrantedAuthority):
public User(String username,
String password,
boolean enabled,
boolean accountNonExpired,
boolean credentialsNonExpired,
boolean accountNonLocked,
Collection<? extends GrantedAuthority> authorities)
Or is there any other way to differentiate the other two? Or is it not supported and we have to make our own?
