Allow customization of GrantedAuthority string


The WindowsAuthenticationToken
1) hardcodes the format of the GrantedAuthority string, AND
2) adds a default ROLE_USER GrantedAuthority

See the following code in the WindowsAuthenticationToken constructor...
    _authorities.add(new GrantedAuthorityImpl("ROLE_USER"));
    for(WindowsAccount group : _principal.getGroups().values()) {
        _authorities.add(new GrantedAuthorityImpl("ROLE_" + group.getFqn().toUpperCase()));

In my application I don't want either of these behaviors. I don't want a default (ROLE_USER) added, and I want the GrantedAuthority string to be the group fqn, unmodfied.

There are several approaches that could be used. An example of one approach can be seen in spring-security's DefaultLdapAuthoritiesPopulator (which is used by the LdapAuthenticationProvider). The DefaultLdapAuthoritiesPopulator has two fields (convertToUpperCase and rolePrefix) that affect the GrantedAuthority String as seen in the following code.
    Set<String> userRoles = ldapTemplate.searchForSingleAttributeValues(getGroupSearchBase(), groupSearchFilter,
            new String[]{userDn, username}, groupRoleAttribute);

    for (String role : userRoles) {

        if (convertToUpperCase) {
            role = role.toUpperCase();

        authorities.add(new GrantedAuthorityImpl(rolePrefix + role));

For Waffle, I think I would prefer a more generic formatter approach. The formatter could take, for example, the WindowsAccount (representing the group), and return the GrantedAuthority string

As for deciding whether or not to add the default granted authority (ROLE_USER), I guess waffle could just use a String for that? If non-null, add it. Else, don't add it.

If you have any suggestions for either, let me know. I'll try to work on a patch when I get a chance. Let me know your opinion, so I don't waste some effort.


dblock wrote Sep 7, 2010 at 3:24 AM

This sounds great. Send us a patch! Don't forget unit tests :)

dblock wrote Sep 7, 2010 at 3:24 AM

... and docs.

philsttr wrote Sep 7, 2010 at 6:25 PM

Patch uploaded.

dblock wrote Sep 8, 2010 at 11:52 AM

philsttr: your code is nice and clean - I gave you developper permissions to the project
  • you're missing a (c) notice on top of the FqnGrantedAuthorityFactory class
  • add a line into Documentation\WhatsNew.html
  • add a section to Documentation\Content\SpringSecurityFilter.aml / SpringSecurityAuthenticator.aml
and commit your changes, edit this bug and mark it resolved as well as mark the patch applied

Thank you!

philsttr wrote Sep 9, 2010 at 8:36 PM

Thanks dblock. I'll get this done soon.

philsttr wrote Sep 13, 2010 at 8:21 PM

Committed revision 57168.

rpi1cob wrote Feb 27, 2015 at 8:15 AM

I am using waffle spring negotiate security filter to authenticate my site.
Here I want to add custom my own roll into the waffle authrnticated user.
Please let me know how to add or inject the custom role into user.