I'm learning spring security and I have few quick questions respect UserDetailsService:

1- when loadUserByUsername is actually called or invoked? after authentication? only once per login?

2- after login, will spring put the actual logged user in to httpSession?

3- which is the recommended way to populate the collection of <GrantedAuthority> of UserDetails?

a. eagle fetch them so when loadUserByUsername is called, the returned user already has it's "ROLES"
b. implemente other custom filter like "UsernamePasswordAuthenticationFilter" populate after success login?
c. neither of above...


thanks please guide me