Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Extract GrantedAuthority Docs 

Closes gh-8005
This commit is contained in:
Rob Winch 2020-02-20 14:56:11 -06:00
parent 1965446d6d
commit fbbb74c360
2 changed files with 14 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
docs/manual/src/docs/asciidoc/_includes/servlet/architecture/technical-overview.adoc
View File

@ -90,22 +90,6 @@ In many cases it makes more sense to <<core-services-authentication-manager,impl
====
[[tech-granted-authority]]
==== GrantedAuthority
Besides the principal, another important method provided by `Authentication` is `getAuthorities()`.
This method provides an array of `GrantedAuthority` objects.
A `GrantedAuthority` is, not surprisingly, an authority that is granted to the principal.
Such authorities are usually "roles", such as `ROLE_ADMINISTRATOR` or `ROLE_HR_SUPERVISOR`.
These roles are later on configured for web authorization, method authorization and domain object authorization.
Other parts of Spring Security are capable of interpreting these authorities, and expect them to be present.
`GrantedAuthority` objects are usually loaded by the `UserDetailsService`.
Usually the `GrantedAuthority` objects are application-wide permissions.
They are not specific to a given domain object.
Thus, you wouldn't likely have a `GrantedAuthority` to represent a permission to `Employee` object number 54, because if there are thousands of such authorities you would quickly run out of memory (or, at the very least, cause the application to take a long time to authenticate a user).
Of course, Spring Security is expressly designed to handle this common requirement, but you'd instead use the project's domain object security capabilities for this purpose.
==== Summary
Just to recap, the major building blocks of Spring Security that we've seen so far are:

14
docs/manual/src/docs/asciidoc/_includes/servlet/authentication/architecture/granted-authority.adoc Normal file
View File

@ -0,0 +1,14 @@
[[servlet-authentication-granted-authority]]
= GrantedAuthority
Besides the principal, another important method provided by `Authentication` is `getAuthorities()`.
This method provides a `Collection` of `GrantedAuthority` objects.
A `GrantedAuthority` is, not surprisingly, an authority that is granted to the principal.
Such authorities are usually "roles", such as `ROLE_ADMINISTRATOR` or `ROLE_HR_SUPERVISOR`.
These roles are later on configured for web authorization, method authorization and domain object authorization.
Other parts of Spring Security are capable of interpreting these authorities, and expect them to be present.
`GrantedAuthority` objects are usually loaded by the `UserDetailsService`.
Usually the `GrantedAuthority` objects are application-wide permissions.
They are not specific to a given domain object.
Thus, you wouldn't likely have a `GrantedAuthority` to represent a permission to `Employee` object number 54, because if there are thousands of such authorities you would quickly run out of memory (or, at the very least, cause the application to take a long time to authenticate a user).
Of course, Spring Security is expressly designed to handle this common requirement, but you'd instead use the project's domain object security capabilities for this purpose.