Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

Java Authorizing Deletions

Binyamin Friedman
Binyamin Friedman
14,615 Points

Why does ROLE_USER do something?

Craig said that Spring doesn't know what the role ROLE_ADMIN means. Why does Spring know what ROLE_USER means. Does Spring just give all access to all roles by default?

1 Answer

Boban Talevski
Boban Talevski
24,793 Points

I'm going to go and assume some things here, but this is how I see it.

So yeah, Spring doesn't know what ROLE_ADMIN means. But as far as I can tell, it also doesn't know what ROLE_USER means. They are just arbitrary role names we defined and we are supposed to use them down the road in implementation of the authorization part of our API/app or whatever.

So, whatever role the user has, as long as they log in with the proper username and password, they'll be authenticated. Now after the user is authenticated (logged in), it depends on their role(s) what the user is able to do (authorization). And this is where roles start to matter, but we do need to tell Spring. Just like we are doing it on the deletion methods in ReviewRepository. A user can delete their own review, but if that same user has an admin role (ROLE_ADMIN), they can also delete a review regardless of whether they posted it or not.

Technically, up to this point in the workshop (still didn't go over the last video), the ROLE_USER is just something to have assigned to all our logged in "regular" users, and it could be named differently, like ROLE_REGULAR, or ROLE_LOGGEDIN or something. Because I guess we shouldn't have it as null in each of our users who are not admins? And down the line we'll probably need it to define some authorization rule.

Like we could have another role ROLE_TRIAL for trial users, so we would define some rules that trial users get a limited number of API calls per day, like 10, while the regular users to which we assigned the role ROLE_USER will get the regular number of API calls per day, like 1000 or so. The ROLE_ADMIN would probably have unlimited API calls in this scenario, because well, they are admins :). Not that I know how to implement this functionality right off the bat, but it's an example I thought of where we would use that default role ROLE_USER to define some authorization rules.