Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Roles hierarchy has no effect in Spring security #12

Open
jcheron opened this issue Mar 14, 2023 · 0 comments
Open

Roles hierarchy has no effect in Spring security #12

jcheron opened this issue Mar 14, 2023 · 0 comments
Labels
bug Something isn't working

Comments

@jcheron
Copy link
Contributor

jcheron commented Mar 14, 2023
edited

Context

Given the following role hierarchy defined in the Spring security configuration:

    @Bean
    fun roleHierarchy(): RoleHierarchy {
        val roleHierarchy = RoleHierarchyImpl()
        val hierarchy = "ROLE_ADMIN > ROLE_USER"
        roleHierarchy.setHierarchy(hierarchy)
        return roleHierarchy
    }

Given the following authorisations:

http.requestMatchers("/bar/**").hasAuthority("USER")

Expected behaviour

A user with the ROLE_ADMIN role should be able to access the /bar/** urls

Current result

403 Fordidden

Changes

The following changes to the configuration have no effect

    @Bean
    fun webSecurityExpressionHandler(): DefaultWebSecurityExpressionHandler {
        val expressionHandler = DefaultWebSecurityExpressionHandler()
        expressionHandler.setRoleHierarchy(roleHierarchy())
        return expressionHandler
    }

    @Bean
    fun expressionHandler(): DefaultMethodSecurityExpressionHandler {
        val expressionHandler = DefaultMethodSecurityExpressionHandler()
        expressionHandler.setRoleHierarchy(roleHierarchy())
        return expressionHandler
    }

    @Bean
    fun grantedAuthoritiesMapper(roleHierarchy: RoleHierarchy): GrantedAuthoritiesMapper {
        return RoleHierarchyAuthoritiesMapper(roleHierarchy)
    }

Versions

  • Java 17 Corretto
  • Kotlin 1.7.22
  • Springboot 3.0.3
  • Spring-security 6.0.2

see spring-projects/spring-security#12473
see spring-projects/spring-security#12505
see vrudas/spring-framework-examples#101
@jcheron jcheron added the bug Something isn't working label Mar 14, 2023
@jcheron jcheron changed the title Hiérarchie des rôles dans Spring Security Roles hierarchy has no effect in Spring security Mar 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jcheron