It’s actually quite a simple difference but there are websites and even the Spring source-code that name things badly and that makes it confusing.
So the gist is:
- Every user has a set of authorities (kind of permissions)
- You can secure your endpoints or methods by checking for an authority or role
- If you check for a role (instead of an authority) then Spring will prefix that role name with “ROLE_” and look for an authority with that name
Let’s take a look at Spring’s Authentication interface:
public interface Authentication extends Principal, Serializable {
Collection<? extends GrantedAuthority> getAuthorities();
// ...
}So, given some User that contains these authorities:
- admin
- ROLE_STAFF
Now all of these checks will succeed:
- hasAuthority(“admin”)
- hasAuthority(“ROLE_STAFF”)
- hasRole(“STAFF”)
Leave a Reply