Added faq on role prefix

2009-11-27 13:30:11 +00:00 · 2009-11-27 13:30:11 +00:00 · 6688d41705
parent 999eadc540
commit 6688d41705
1 changed files with 23 additions and 0 deletions
--- a/docs/faq/src/docbook/faq.xml
+++ b/docs/faq/src/docbook/faq.xml
@ -283,6 +283,29 @@
                        the chapters on namespace parsing in the standard Spring Framework reference
                        documentation first. </para></answer>
            </qandaentry>
+            <qandaentry xml:id="faq-role-prefix">
+                <question><para>What does <quote>ROLE_</quote> mean and why do I need it on my role names?</para></question>
+                <answer>
+                    <para>Spring Security has a voter-based architecture which means that an access
+                        decision is made by a series of <interfacename>AccessDecisionVoter</interfacename>s.
+                        The voters act on the <quote>configuration attributes</quote> which are specified for a 
+                        secured resource (such as a method invocation). With this approach, not all attributes may
+                        be relevant to all voters and a voter needs to know when it should ignore an attribute (abstain) and
+                        when it should vote to grant or deny access based on the attribute value. 
+                        The most common voter is the <classname>RoleVoter</classname> which by default votes
+                        whenever it finds an attribute with the <quote>ROLE_</quote> prefix. It makes a simple comparison
+                        of the attribute (such as <quote>ROLE_USER</quote>) with the name names of the authorities which
+                        the current user has been assigned. If it finds a match (they have an authority called 
+                        <quote>ROLE_USER</quote>), it votes to grant access, otherwise it votes to deny access. 
+                    </para>
+                    <para>
+                        The prefix can be changed by setting the <literal>rolePrefix</literal> property of 
+                        <classname>RoleVoter</classname>. If you only need to use roles in your application and have
+                        no need for other custom voters, then you can set the prefix to a blank string, in which case the 
+                        <classname>RoleVoter</classname> will treat all attributes as roles.
+                    </para>
+                </answer>
+            </qandaentry>
        </qandadiv>
        <qandadiv>
            <title>Common <quote>Howto</quote> Requests</title>