SEC-1163: RoleHierarchyImpl and @Secured annotation #1411

Closed
spring-issuemaster opened this Issue May 14, 2009 · 1 comment

1 participant

@spring-issuemaster

Eduardas (Migrated from SEC-1163) said:

I have a situation. For example there is one user "administrator" and has authority "ROLE_ADMIN".
I specify my roleHierarchy bean like this:

<bean id="roleHierarchy"
      class="org.springframework.security.userdetails.hierarchicalroles.RoleHierarchyImpl">
    <property name="hierarchy">
        <value>ROLE_ADMIN > ROLE_CUSTOMER</value>
    </property>
</bean>

then i have a method with @Secured annotation:

@Secured({"ROLE_USER", "AFTER_ACL_READ"})
public Artist getArtist(Long artistId) {
    return dao.getArtist(artistId);
}

it seems that almost everything works fine with "ROLE_USER", i see acl information in the database,
permissions work fine when inserting and deleting, but when there is only "ROLE_ADMIN", this method gives me an access denied error.
I guess it sees only "ROLE_ADMIN" instead of whole permission tree: "ROLE_ADMIN" > "ROLE_USER".

when dealing with annotations i use:

<global-method-security secured-annotations="enabled"
                        jsr250-annotations="enabled"
                        access-decision-manager-ref="businessAccessDecisionManager"/>

and

<bean id="businessAccessDecisionManager"
      class="org.springframework.security.vote.AffirmativeBased">
    <property name="allowIfAllAbstainDecisions" value="false"/>
    <property name="decisionVoters">
        <list>
            <ref local="roleVoter"/>
            <ref local="aclObjectReadVoter"/>
            <ref local="aclObjectWriteVoter"/>
            <ref local="aclObjectDeleteVoter"/>
            <ref local="aclObjectAdminVoter"/>
        </list>
    </property>
</bean>

Can somebody explain me how to set up RoleHierarchyImpl correctly? or maybe this is some kind of a bug?

@spring-issuemaster

Luke Taylor said:

Already raised as SEC-1049, wrt ACLs.

If you want basic support for role hierarchies, then use a RoleHierarchyVoter, instead of a RoleVoter.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment