Table of Contents
As briefly mentioned in the Authentication section, all
Authentication
implementations are required to
store an array of GrantedAuthority
objects. These
represent the authorities that have been granted to the principal. The
GrantedAuthority
objects are inserted into the
Authentication
object by the
AuthenticationManager
and are later read by
AccessDecisionManager
s when making authorization
decisions.
GrantedAuthority
is an interface with only
one method:
String getAuthority();
This method allows AccessDecisionManager
s to
obtain a precise String
representation of the
GrantedAuthority
. By returning a representation as
a String
, a GrantedAuthority
can
be easily "read" by most AccessDecisionManager
s. If
a GrantedAuthority
cannot be precisely represented
as a String
, the
GrantedAuthority
is considered "complex" and
getAuthority()
must return
null
.
An example of a "complex" GrantedAuthority
would be an implementation that stores a list of operations and
authority thresholds that apply to different customer account numbers.
Representing this complex GrantedAuthority
as a
String
would be quite complex, and as a result the
getAuthority()
method should return
null
. This will indicate to any
AccessDecisionManager
that it will need to
specifically support the GrantedAuthority
implementation in order to understand its contents.
Spring Security includes one concrete
GrantedAuthority
implementation,
GrantedAuthorityImpl
. This allows any
user-specified String
to be converted into a
GrantedAuthority
. All
AuthenticationProvider
s included with the security
architecture use GrantedAuthorityImpl
to populate
the Authentication
object.