Default roles in Spring Security 3.1

Question

The Spring 3.1 Security contact example uses a couple of roles in its applicationContext-security.xml :

<intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/index.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/hello.htm" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<intercept-url pattern="/switchuser.jsp" access="ROLE_SUPERVISOR"/>
<intercept-url pattern="/j_spring_security_switch_user" access="ROLE_SUPERVISOR"/>
<intercept-url pattern="/**" access="ROLE_USER"/>

Where are these IS_AUTHENTICATED_ANONYMOUSLY, ROLE_SUPERVISOR, ROLE_USER roles defined? Are these default roles create by Spring Security?

Answer 1

The IS_AUTHENTICATED_ANONYMOUSLY is defined in the AuthenticatedVoter class.
The various ROLE_xxxx have no special meaning.

Spring Security by defaults suggests these roles because they are used in most applications.
However you are free to define and use custom roles (ie ROLE_SUPERMAN).
You just have to make sure that the UserDetail returned by your UserDetailService has this ROLE assigned as GrantedAuthority (either from a DB or manually).

Actually ROLE is the prefix. If you want to change it to APP (ie APP_ADMIN) you have to define a custom AppVoter :

<bean class="org.springframework.security.vote.RoleVoter">
  <property name="rolePrefix" value="APP"/>
</bean>

Answer 2

Roles ROLE_SUPERVISOR, ROLE_USER are defined by us according to our application.

How to create custom roles : How do I use custom roles/authorities in Spring Security?

Refer Tutorial to create custom roles using org.springframework.security.core.userdetails.UserDetailsService