The limited access to the resource has been configured along with information on which roles can access it in the earlier configuration. However, we haven't yet provided any information about the roles assigned to the users. It can be done, as shown in the following configuration, using AuthenticationManager:

    <authentication-manager> 
      <authentication-provider> 
        <user-service> 
          <user name="user1" password="password1" 
            authorities="ROLE_USER, ROLE_ADMIN" /> 
          <user name="user2" password="password2"  
            authorities="ROLE_USER" /> 
        </user-service> 
      </authentication-provider> 
    </authentication-manager> 

The preceding configuration defines two users as user1 and user2 with their passwords and roles assigned to them using the attribute as authorities. One user can have multiple roles, each one of them separated by a comma. Each role has to be specified which is prefixed by ROLE. Here, we configured memory authentication. The information about credentials can also be loaded from the properties file, and later in the chapter, we will discuss AuthenticationManagers in depth. Before moving ahead, let's write a code to understand configuring security.