AuthorityAuthorizationManager never using defined role hierarchy

[davidvelasco-lk]

Describe the bug
Defined role hierarchy is not picked up by AuthorityAuthorizationManager.

• Role hierarchy: ROLE_SUPERUSER > ROLE_USER
• endpoint GET /greet is authorized to role USER
• User user is configured as SUPERUSER. According to defined role hierarchy, access to resource should be granted.

After debugging I found that AuthorityAuthorizationManager is always using NullRoleHierarchy. This setter is never being assigned to the one I created.

Env: spring boot 3.0.0 / spring security 6.0.0
Context: Upgrading from spring boot 2.7.x to spring boot 3.0.0

To Reproduce

1. Start the example
2. Go to localhost:8080/greet
3. log in should be shown
   user: user
   password: pass
4. response code is 403, forbidden.

Expected behavior
Should return "hello world" string

Sample

Example project.

[davidvelasco-lk]

I found this way to enable role hierarchies. Is this the expected way to do it?

  @Bean
  public SecurityFilterChain configure(
      HttpSecurity http,
      RequestHeaderAuthenticationFilter headerAuthenticationFilter) throws Exception {

    var auth1 = AuthorityAuthorizationManager.<RequestAuthorizationContext>hasRole("USER");
    auth1.setRoleHierarchy(roleHierarchy());
    
    http
        .authorizeHttpRequests(auth -> auth
          .requestMatchers(HttpMethod.GET).access(auth1)
        );
    return http.build();
  }

 @Bean
  public RoleHierarchy roleHierarchy() {
    RoleHierarchyImpl r = new RoleHierarchyImpl();
    r.setHierarchy("ROLE_SUPERUSER > ROLE_USER");
    return r;
  }

[jzheaux]

Thanks for reaching out, @davidvelasco-lk. This is what is supported at this point, yes.

It would be nice if AuthorizeHttpRequestsConfigurer.AuthorizeUrl#hasRole and other related methods looked for the RoleHierarchy bean and called AuthorityAuthorizationManager's setter. Are you able to submit a PR that adds this functionality?

[evgeniycheban]

Hi, @jzheaux I should've added this functionality in gh-12231, but I didn't take into account such use case, I'm going to add this in a new PR, so the user will be able to define RoleHierarchy as a @Bean and it will be determined by the AuthorizeHttpRequestsConfigurer and set to the AuthorityAuthorizationManager using its setter.