Custom User, roles, permissions implementing UserDetail and UserDetailService with Spring Security

Question

I am looking to use Spring Security w/ MySql to store Users, Roles, Permissions (authorities). I have done the following:

ApplicationUser (id, firstName, lastName, username, password, roles )
ApplicationRole (id, name, description, permissions ) implements GrantedAuthority
ApplicationPermission (id, name, description) implements GrantedAuthority

I created a class that implements UserDetailService. In the loadUserByUsername method I doing the following:

ApplicationUser applicationUser = userRepository.findByUsername(username);
if(applicationUser == null) {
    throw new UsernameNotFoundException(username);
}

// Extract role/role permission grantedAuthorities from db user
List<GrantedAuthority> grantedAuthorities = new ArrayList<>();
for (Role role: applicationUser.getRoles()) {
    grantedAuthorities.add(role);
    grantedAuthorities.addAll(role.getPermissions());
}

return new User(applicationUser.getUsername(), applicationUser.getPassword(), grantedAuthorities);

However, this still leaves me a bit confused and here are a few of my questions...

1. Is it necessary to implement GrantedAuthority on my ApplicationRole and ApplicationPermission class. I don't see others doing it in many examples that I have seen but it appears to have made my life easier so I can just get them and pass them in as is.
2. I have not implemented UserDetails with my ApplicationUser class. If I were to do this what would be the purpose? Is the only reason so I would be able to customize the getAuthorities, isAccountNonExpired, isAccountNonLocked, isCredentialsNonExpired, isEnabled methods? Is there even a default implementation of these methods or only if I create my versions. Why would I need to implement getAuthorities here if I am already doing it with loadbyUserName in UserDetailsServiceImpl?
3. What is the purpose of SimpleGrantedAuthority? I see it implements GrantedAuthority and only accepts a String name. However, I don't feel like I need to use it since I implemented GrantedAuthority with my ApplicationRole and ApplicationPermission classes.

I think my problem is that I am confused as to when/how to properly implement UserDetail and UserDetailService making sure I am loading the authorities from the database and setting them each time a user logs in. Additionally, is there any point in implementing GrantedAuthority with my ApplicationRole and ApplicationPermission class the way I am?

Answer 1

1. It's not necessary and I wouldn't recommend it either. It's good to keep these different aspects of your application separate. As far as I know it's a common practice to fetch the roles in your custom UserDetailsService and wrap their textual representation in a SimpleGrantedAuthority (ie their name). Note that to differentiate between roles and authorities within Spring Security you have to prefix roles with the ROLE_ tag by default (see hasRole and hasAuthority access-control expressions).

2. Having a custom UserDetails implementation is not necessary but might have benefits, for example you can store extra fields that are specific to your application. The default implementation is org.springframework.security.core.userdetails.User , most of the time you can just extend this one.

3. See #1

is there any point in implementing GrantedAuthority with my ApplicationRole and ApplicationPermission class the way I am?

It wouldn't make any sense, no. Many use-cases are covered by the existing implementations, but for the most simple use-cases you can just stick to SimpleGrantedAuthority .