Home Java Spring Security: GrantedAuthority vs Role – When to Use Each
Intermediate 5 min · July 14, 2026

Spring Security: GrantedAuthority vs Role – When to Use Each

Stop confusing GrantedAuthority and Role in Spring Security.

N
Naren Founder & Principal Engineer

20+ years shipping production Java in banking & fintech. Written from production experience, not tutorials.

Follow
Production
production tested
July 15, 2026
last updated
2,398
articles · all by Naren
Before you start⏱ 15-20 min read
  • Basic knowledge of Spring Boot and Spring Security
  • Understanding of authentication and authorization concepts
  • Familiarity with Java annotations and configuration
 ● Production Incident 🔎 Debug Guide ⚙ Triage Commands
Quick Answer
  • GrantedAuthority is a generic permission (e.g., 'READ_PRIVILEGES', 'PAYMENT_PROCESSOR').
  • Role is a named group of authorities, prefixed with 'ROLE_' by convention (e.g., 'ROLE_ADMIN').
  • Use roles for coarse-grained access (e.g., admin vs user) and authorities for fine-grained permissions (e.g., 'canDeleteInvoice').
  • In Spring Security, roles are just authorities with a prefix – hasRole('ADMIN') checks for 'ROLE_ADMIN'.
  • Mixing both in a hierarchy avoids role explosion and keeps code maintainable.
✦ Definition~90s read
What is GrantedAuthority vs Role in Spring Security?

GrantedAuthority is an interface in Spring Security representing any permission granted to a user, while Role is a specific type of authority with a 'ROLE_' prefix used for coarse-grained access control.

Think of a concert venue: a 'Role' is like a wristband color (VIP, Backstage, General) that grants broad access.
Plain-English First

Think of a concert venue: a 'Role' is like a wristband color (VIP, Backstage, General) that grants broad access. A 'GrantedAuthority' is a specific permission (e.g., 'access green room', 'meet the band'). The wristband gives you a set of permissions, but you could also get a special badge for one-off access. In Spring Security, roles are just a special type of authority with a 'ROLE_' prefix.

I've lost count of how many times I've seen a codebase where developers use hasRole('ADMIN') for everything – even checking if a user can delete a single comment. Then six months later, they need a 'moderator' who can delete comments but not ban users. Suddenly they're either duplicating roles (ROLE_ADMIN, ROLE_SUPER_ADMIN, ROLE_MODERATOR) or writing spaghetti conditionals. The root cause? Confusing GrantedAuthority with Role.

In Spring Security, GrantedAuthority is the interface that represents any permission granted to a user. A Role is technically just a GrantedAuthority with a ROLE_ prefix, but the framework treats it specially. hasRole('ADMIN') checks for ROLE_ADMIN, while hasAuthority('DELETE_USER') checks for exactly that string.

The decision of when to use which isn't just about API convenience – it directly impacts how you model permissions, how you store them, and how maintainable your security layer is. In this article, I'll break down the difference, show you production patterns that work, and give you a debugging guide for when things go sideways at 2 AM.

What Are GrantedAuthority and Role?

Let's get the definitions straight. GrantedAuthority is an interface in Spring Security with a single method: String getAuthority(). It represents a permission granted to the user. That's it – it's a string. Spring Security doesn't care what the string means; it just compares it to the value in your security expression.

A Role is not a separate type. It's a convention: if you use hasRole('ADMIN'), Spring Security internally prepends ROLE_ and checks for an authority named ROLE_ADMIN. So hasRole('ADMIN') is equivalent to hasAuthority('ROLE_ADMIN'). The ROLE_ prefix is a namespace to avoid clashes between role names and other authorities.

Why the distinction? Historically, roles were meant for coarse-grained access (e.g., admin, user), while authorities were for fine-grained permissions (e.g., read, write). But in practice, many teams just use roles for everything – which leads to role explosion. You end up with ROLE_DELETE_USER, ROLE_EDIT_POST, etc., which defeats the purpose.

Here's the hard truth: if your application has more than 10 roles, you're probably doing it wrong. Roles should represent job functions (ADMIN, MODERATOR, CUSTOMER), not individual actions. For actions, use authorities.

GrantedAuthorityExample.javaJAVA
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
// Custom GrantedAuthority implementation
public class SimpleGrantedAuthority implements GrantedAuthority {
    private final String authority;
    
    public SimpleGrantedAuthority(String authority) {
        this.authority = authority;
    }
    
    @Override
    public String getAuthority() {
        return authority;
    }
}

// In UserDetailsService
@Override
public UserDetails loadUserByUsername(String username) {
    // fetch user from DB
    Set<GrantedAuthority> authorities = new HashSet<>();
    // Add role (with prefix)
    authorities.add(new SimpleGrantedAuthority("ROLE_" + user.getRole()));
    // Add permissions
    authorities.add(new SimpleGrantedAuthority("DELETE_USER"));
    authorities.add(new SimpleGrantedAuthority("EDIT_POST"));
    
    return new org.springframework.security.core.userdetails.User(
        user.getUsername(), user.getPassword(), authorities);
}
⚠ Don't Store ROLE_ Prefix in DB
📊 Production Insight
I've seen a startup store 'ROLE_USER' in the database, then in code they did 'ROLE_' + role – resulting in 'ROLE_ROLE_USER'. Took hours to debug.
🎯 Key Takeaway
GrantedAuthority is a generic permission. Role is just an authority with a 'ROLE_' prefix. Use roles for broad categories, authorities for specific actions.

When to Use GrantedAuthority vs Role

The decision boils down to granularity. Use hasRole() when you're checking for a broad access level – like 'is this user an admin?'. Use hasAuthority() when you're checking for a specific permission – like 'can this user delete invoices?'.

Here's a rule of thumb I've used in production: if the permission is something that could be assigned to multiple roles, it should be an authority. If it's a job title, it's a role.

Example: In a SaaS billing system, you have roles: ADMIN, FINANCE, SUPPORT. You have authorities: VIEW_INVOICES, CREATE_INVOICE, DELETE_INVOICE, REFUND. An ADMIN might have all authorities. FINANCE might have VIEW and CREATE but not DELETE. SUPPORT might have only VIEW. If you model DELETE_INVOICE as a role, you'd need ROLE_ADMIN and ROLE_FINANCE_DELETE, which is messy.

Use a role hierarchy to map roles to authorities. Spring Security's RoleHierarchy lets you define that ADMIN includes all FINANCE authorities, for example.

When to use which
  • Use hasRole('ADMIN') for admin-only sections of the app.
  • Use hasAuthority('DELETE_INVOICE') for specific operations.
  • Avoid hasRole('DELETE_INVOICE') – that's an authority, not a role.
  • If you find yourself using hasAnyRole('A','B','C') often, consider refactoring to a common authority.
SecurityConfig.javaJAVA
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
@Configuration
@EnableMethodSecurity
public class SecurityConfig {
    
    @Bean
    public RoleHierarchy roleHierarchy() {
        RoleHierarchyImpl hierarchy = new RoleHierarchyImpl();
        hierarchy.setHierarchy("ROLE_ADMIN > ROLE_FINANCE > ROLE_SUPPORT");
        return hierarchy;
    }
    
    @Bean
    public MethodSecurityExpressionHandler methodSecurityExpressionHandler() {
        DefaultMethodSecurityExpressionHandler handler = new DefaultMethodSecurityExpressionHandler();
        handler.setRoleHierarchy(roleHierarchy());
        return handler;
    }
}

// In a controller
@RestController
public class InvoiceController {
    
    @GetMapping("/invoices")
    @PreAuthorize("hasAuthority('VIEW_INVOICES')")
    public List<Invoice> getInvoices() { ... }
    
    @DeleteMapping("/invoices/{id}")
    @PreAuthorize("hasAuthority('DELETE_INVOICE')")
    public void deleteInvoice(@PathVariable Long id) { ... }
}
💡Role Hierarchy is Your Friend
📊 Production Insight
In a fintech app, we had 50+ roles. After switching to roles + authorities, we cut it to 4 roles and 20 authorities. The hierarchy made security audits trivial.
🎯 Key Takeaway
Use roles for broad access categories, authorities for specific actions. Combine with role hierarchy to keep permissions manageable.

How Spring Security Evaluates hasRole and hasAuthority

Understanding the evaluation logic is crucial for debugging. When you write @PreAuthorize("hasRole('ADMIN')"), Spring Security's expression handler calls hasRole('ADMIN') on the SecurityExpressionRoot. This method prepends ROLE_ and then calls hasAuthority('ROLE_ADMIN'). So internally, it's the same check.

The difference is that hasRole also respects the RoleHierarchy. If you have a hierarchy where ROLE_ADMIN includes ROLE_MODERATOR, then hasRole('MODERATOR') will return true for an admin. hasAuthority('MODERATOR') would NOT, because it doesn't use the hierarchy.

This is a common gotcha: developers use hasAuthority thinking it's the same as hasRole without the prefix, but they lose the hierarchy. If you rely on hierarchy, always use hasRole.

Another nuance: the hasAuthority method does an exact string match against the authority's getAuthority() return value. So if your authority is "DELETE_USER", hasAuthority('delete_user') will fail because of case sensitivity.

In production, I always log the authorities at login to verify the exact strings. A simple log.info("User {} has authorities: {}", username, auth.getAuthorities()); can save hours.

ExpressionEvaluation.javaJAVA
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
// Internally, Spring Security does something like:
public boolean hasRole(String role) {
    return hasAuthority("ROLE_" + role);
}

public boolean hasAuthority(String authority) {
    // With hierarchy support
    Set<String> allAuthorities = roleHierarchy.getReachableGrantedAuthorities(
        authentication.getAuthorities());
    return allAuthorities.stream()
        .anyMatch(a -> a.getAuthority().equals(authority));
}

// Note: hasRole uses the hierarchy, hasAuthority does not (unless you configure it).
// But by default, hasAuthority does NOT use hierarchy.
// To make hasAuthority respect hierarchy, you need to set the RoleHierarchy on the expression handler.
🔥Default Behavior: hasAuthority Ignores Hierarchy
📊 Production Insight
We had a bug where a user with ROLE_ADMIN couldn't access an endpoint protected by hasAuthority('VIEW_REPORTS') because the hierarchy wasn't applied. We had to add the hierarchy to the expression handler.
🎯 Key Takeaway
hasRole uses RoleHierarchy; hasAuthority does not by default. Case-sensitive exact match for authorities.

What the Official Docs Won't Tell You

The Spring Security reference documentation is good, but it leaves out several gotchas that bite you in production. Here are the ones I've learned the hard way.

1. hasRole and hasAuthority are NOT interchangeable when using RoleHierarchy. The docs mention that hasRole uses the hierarchy, but they don't emphasize that hasAuthority does NOT. If you have a hierarchy and use hasAuthority, you'll get false negatives. I once spent two hours debugging why an admin couldn't access a moderator endpoint – because the code used hasAuthority('MODERATE_POSTS') instead of hasRole('MODERATOR').

2. The ROLE_ prefix is hardcoded. You cannot change it without writing a custom expression handler. Some teams try to use a different prefix for namespacing, but Spring Security's hasRole always prepends ROLE_. If you need a different prefix, you must use hasAuthority and manage the prefix yourself.

3. Method security vs URL security have different defaults. In HttpSecurity expressions, hasRole and hasAuthority behave the same as in method security, but the RoleHierarchy integration might differ depending on how you configure it. Always test both layers.

4. The hasAuthority check is case-sensitive and exact. If your authority string has a typo or different case, it fails silently – no error, just 403. I've seen production incidents where the database stored 'delete_user' but the annotation used 'DELETE_USER'.

5. Role hierarchy can cause unexpected access. If you define ROLE_ADMIN > ROLE_USER, then any endpoint protected by hasRole('USER') is accessible to admins. That's usually desired, but if you have a sensitive endpoint that should only be for users (not admins), you need to check the exact role, not use hierarchy. Use hasAuthority('ROLE_USER') without hierarchy for that case.

CustomExpressionHandler.javaJAVA
1
2
3
4
5
6
7
8
9
10
11
12
// To make hasAuthority respect hierarchy, create a custom expression handler:
@Bean
public MethodSecurityExpressionHandler methodSecurityExpressionHandler(
        RoleHierarchy roleHierarchy) {
    DefaultMethodSecurityExpressionHandler handler = 
        new DefaultMethodSecurityExpressionHandler();
    handler.setRoleHierarchy(roleHierarchy);
    return handler;
}

// Then in your security config, use this handler.
// Now hasAuthority('MODERATE_POSTS') will also check if the user has ROLE_ADMIN etc.
⚠ Watch Out for Silent 403s
📊 Production Insight
In a healthcare app, we had a bug where a doctor could see patient records because hasAuthority('VIEW_PATIENT') didn't respect the hierarchy that gave doctors that authority via ROLE_DOCTOR. We had to refactor to use hasRole.
🎯 Key Takeaway
The docs don't emphasize the hierarchy gap, the hardcoded prefix, or the silent failures. Always test your security expressions with actual user authorities.

Best Practices for Modeling Permissions

After years of trial and error, here's the pattern I recommend for most applications:

  1. Define roles as job functions: ADMIN, MANAGER, USER, GUEST. Store them in a roles table or as an enum.
  2. Define authorities as actions: VIEW_DASHBOARD, EDIT_PROFILE, DELETE_USER, etc. Store them in a permissions table.
  3. Map roles to authorities via a many-to-many relationship: role_permissions table.
  4. In your UserDetailsService, load both the role (with ROLE_ prefix) and the authorities (without prefix) into the user's GrantedAuthority set.
  5. Use hasRole for broad checks (e.g., admin panel) and hasAuthority for specific actions.
  6. Use @PreFilter and @PostFilter for collection-level security if needed.

This approach scales well. When a new feature requires a permission, you add an authority and assign it to the appropriate roles. No need to create new roles.

For role hierarchy, keep it simple. Don't create deep hierarchies – more than 3 levels is usually overkill. Document the hierarchy clearly.

Avoid using hasAnyRole or hasAnyAuthority with more than 3 arguments – it's a code smell. Instead, create a common authority that encompasses the set.

Finally, always write integration tests for your security layer. Test each role and authority combination. I've seen too many deployments where a refactored security config accidentally opened access.

UserDetailsService.javaJAVA
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
@Service
public class CustomUserDetailsService implements UserDetailsService {
    
    @Override
    public UserDetails loadUserByUsername(String username) {
        User user = userRepository.findByUsername(username)
            .orElseThrow(() -> new UsernameNotFoundException("User not found"));
        
        Set<GrantedAuthority> authorities = new HashSet<>();
        // Add role with prefix
        authorities.add(new SimpleGrantedAuthority("ROLE_" + user.getRole().getName()));
        // Add permissions from role
        for (Permission perm : user.getRole().getPermissions()) {
            authorities.add(new SimpleGrantedAuthority(perm.getName()));
        }
        // Optionally add user-specific permissions
        for (Permission perm : user.getAdditionalPermissions()) {
            authorities.add(new SimpleGrantedAuthority(perm.getName()));
        }
        
        return new User(user.getUsername(), user.getPassword(), authorities);
    }
}
💡Test Your Security Layer
📊 Production Insight
In an e-commerce platform, we had a 'SUPER_ADMIN' role that had all authorities. When we added a new permission for 'VIEW_ANALYTICS', we forgot to assign it to SUPER_ADMIN. Because we tested with a test user that had the permission, we missed it. Always test with each role.
🎯 Key Takeaway
Model roles as job functions, authorities as actions. Map many-to-many. Keep hierarchy shallow. Test everything.

Common Mistakes and How to Avoid Them

Let's look at the most frequent mistakes I see in code reviews and production incidents.

Mistake 1: Storing 'ROLE_' prefix in the database. This causes double-prefixing bugs when you concatenate again in code. Always store the raw role name and add the prefix in the UserDetailsService.

Mistake 2: Using hasRole for everything. This leads to role explosion. If you have roles like 'ROLE_DELETE_USER', 'ROLE_EDIT_POST', you're misusing roles. Use authorities for granular permissions.

Mistake 3: Ignoring case sensitivity. hasAuthority('Delete_User') will not match an authority of 'delete_user'. Be consistent – I recommend uppercase with underscores.

Mistake 4: Not using RoleHierarchy. Without hierarchy, you'll repeat authorities across roles. Define a hierarchy like ROLE_ADMIN > ROLE_MANAGER > ROLE_USER.

Mistake 5: Mixing hasRole and hasAuthority in the same expression without understanding hierarchy. For example, @PreAuthorize("hasRole('ADMIN') or hasAuthority('VIEW_REPORTS')") might not work as expected if the hierarchy is applied only to hasRole.

How to avoid: - Use a consistent naming convention: roles are uppercase without prefix in DB, authorities are uppercase with underscore. - Always add the prefix in one place (UserDetailsService). - Use RoleHierarchy and configure the expression handler to apply it to both hasRole and hasAuthority. - Write unit tests for your security expressions.

CommonMistakes.javaJAVA
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
// MISTAKE: Storing prefix in DB
// Database: role = 'ROLE_ADMIN'
// Code: new SimpleGrantedAuthority("ROLE_" + user.getRole()) 
// Result: 'ROLE_ROLE_ADMIN'

// CORRECT: Store without prefix
// Database: role = 'ADMIN'
// Code: new SimpleGrantedAuthority("ROLE_" + user.getRole())
// Result: 'ROLE_ADMIN'

// MISTAKE: Using hasRole for granular permissions
@PreAuthorize("hasRole('DELETE_USER')")  // BAD

// CORRECT: Use hasAuthority
@PreAuthorize("hasAuthority('DELETE_USER')")  // GOOD

// MISTAKE: Case inconsistency
@PreAuthorize("hasAuthority('delete_user')")  // Won't match 'DELETE_USER'

// CORRECT: Consistent casing
@PreAuthorize("hasAuthority('DELETE_USER')")
⚠ Double Prefix Bug is Common
📊 Production Insight
In a SaaS startup, a junior dev stored 'ROLE_USER' in the DB and then did 'ROLE_' + role in the code. The result was 'ROLE_ROLE_USER'. The bug went unnoticed for weeks because the login worked – but the user had no valid role, so all endpoints returned 403. Debugging was painful.
🎯 Key Takeaway
Avoid double prefix, role explosion, and case mismatches. Use hierarchy and test thoroughly.
● Production incidentPOST-MORTEMseverity: high

The Case of the Overprivileged Moderator

Symptom
Users with role 'MODERATOR' could access the 'DELETE_USER' endpoint. The UI was showing a delete button that shouldn't be there for moderators.
Assumption
The developer assumed hasRole('MODERATOR') would only grant access to endpoints annotated with hasRole('MODERATOR'), but they had also granted the ROLE_MODERATOR authority to a user who was only supposed to have MODERATE_POSTS permission.
Root cause
The security config used hasRole('ADMIN') for the delete endpoint, but the database stored the role as 'ROLE_ADMIN'. However, a bug in the role assignment code accidentally gave the moderator both 'ROLE_MODERATOR' and 'ROLE_ADMIN' because of a string concatenation error: 'ROLE_' + roleName was applied twice.
Fix
We fixed the role assignment logic to avoid double prefixing, and refactored the security layer to use hasAuthority('DELETE_USER') for fine-grained permissions, leaving hasRole('ADMIN') only for broad admin panels.
Key lesson
  • Never store roles with the 'ROLE_' prefix in the database – let Spring Security add it.
  • Use hasAuthority for specific actions, hasRole only for coarse access levels.
  • Audit your security annotations regularly – an accidental role grant can be catastrophic.
  • Use a permission hierarchy to map roles to authorities explicitly.
Production debug guideSymptom to Action4 entries
Symptom · 01
User with ROLE_ADMIN gets 403 on an endpoint annotated with @PreAuthorize("hasRole('ADMIN')")
Fix
Check if the GrantedAuthority in the authentication object is exactly 'ROLE_ADMIN'. Use a debug endpoint to print authorities. Often the role is stored without the prefix or with a different case.
Symptom · 02
User can access an endpoint they shouldn't, even though they don't have the required role
Fix
Look for misused hasAuthority vs hasRole. If you used hasAuthority('ADMIN'), it expects 'ADMIN' not 'ROLE_ADMIN'. Also check for method security vs URL security conflicts.
Symptom · 03
After adding a new authority, existing users still can't access new endpoints
Fix
Verify that the UserDetailsService is populating authorities correctly. Check if authorities are cached in the session or JWT token – you may need to force re-authentication.
Symptom · 04
Role hierarchy not working – a user with ROLE_ADMIN can't access endpoints for ROLE_MODERATOR
Fix
Ensure RoleHierarchy is injected into the security configuration. Also check that hasRole is being used, not hasAuthority – hierarchy only works with roles.
★ Quick Debug Cheat SheetQuick commands and checks for common GrantedAuthority/Role issues.
403 Forbidden despite correct role
Immediate action
Print current user's authorities
Commands
SecurityContextHolder.getContext().getAuthentication().getAuthorities()
Check for prefix mismatch – hasRole('ADMIN') expects 'ROLE_ADMIN'
Fix now
Ensure your UserDetailsService adds 'ROLE_' prefix (or don't, and use hasAuthority).
User has too much access+
Immediate action
Review all @PreAuthorize annotations on the endpoint
Commands
Find the endpoint's security annotation
Check if you're using hasRole vs hasAuthority correctly
Fix now
Refactor to use hasAuthority for granular permissions.
Role hierarchy not working+
Immediate action
Verify RoleHierarchy is set in security config
Commands
Check WebSecurityConfig for @Bean RoleHierarchy
Ensure you're using hasRole, not hasAuthority
Fix now
Add RoleHierarchy bean and use hasRole in expressions.
FeaturehasRolehasAuthority
PrefixAutomatically prepends 'ROLE_'No prefix
RoleHierarchyRespected by defaultNot respected by default
Use caseCoarse-grained access (e.g., admin)Fine-grained permissions (e.g., delete user)
Case sensitivityCase-insensitive for role name? No, exact match after prefixExact match, case-sensitive
FlexibilityLess flexible – hardcoded prefixMore flexible – any string
⚙ Quick Reference
6 commands from this guide
FileCommand / CodePurpose
GrantedAuthorityExample.javapublic class SimpleGrantedAuthority implements GrantedAuthority {What Are GrantedAuthority and Role?
SecurityConfig.java@ConfigurationWhen to Use GrantedAuthority vs Role
ExpressionEvaluation.javapublic boolean hasRole(String role) {How Spring Security Evaluates hasRole and hasAuthority
CustomExpressionHandler.java@BeanWhat the Official Docs Won't Tell You
UserDetailsService.java@ServiceBest Practices for Modeling Permissions
CommonMistakes.java@PreAuthorize("hasRole('DELETE_USER')") // BADCommon Mistakes and How to Avoid Them

Key takeaways

1
GrantedAuthority is a generic permission; Role is a convention with 'ROLE_' prefix.
2
Use hasRole for broad access (e.g., admin panel) and hasAuthority for specific actions.
3
RoleHierarchy works with hasRole but not with hasAuthority by default
configure if needed.
4
Avoid storing 'ROLE_' prefix in DB; add it only when creating authorities.
5
Always test security expressions with integration tests to catch silent 403s.
INTERVIEW PREP · PRACTICE MODE

Interview Questions on This Topic

Q01JUNIOR
What is the difference between GrantedAuthority and Role in Spring Secur...
Q02SENIOR
How does Spring Security evaluate hasRole vs hasAuthority? Does hasAutho...
Q03SENIOR
Design a permission model for a multi-tenant SaaS application where admi...
Q01 of 03JUNIOR

What is the difference between GrantedAuthority and Role in Spring Security?

ANSWER
GrantedAuthority is an interface representing any permission (e.g., 'READ_PRIVILEGES'). Role is a convention where authorities are prefixed with 'ROLE_'. Spring Security's hasRole('ADMIN') checks for 'ROLE_ADMIN'. Roles are typically used for coarse-grained access, authorities for fine-grained.
FAQ · 5 QUESTIONS

Frequently Asked Questions

01
What is the difference between hasRole and hasAuthority in Spring Security?
02
Can I use hasAuthority with roles?
03
How do I make hasAuthority respect RoleHierarchy?
04
Should I store the ROLE_ prefix in the database?
05
What is a role hierarchy and why should I use it?
N
Naren Founder & Principal Engineer

20+ years shipping production Java in banking & fintech. Written from production experience, not tutorials.

Follow
Verified
production tested
July 15, 2026
last updated
2,398
articles · all by Naren
🔥

That's Spring Security. Mark it forged?

5 min read · try the examples if you haven't

Previous
Creating Custom Security Expressions in Spring Security
22 / 31 · Spring Security
Next
Retrieving User Information in Spring Security: SecurityContext and Principal