SEC-1163: RoleHierarchyImpl and @Secured annotation #1411

spring-issuemaster opened this Issue May 14, 2009 · 1 comment


None yet

1 participant


Eduardas (Migrated from SEC-1163) said:

I have a situation. For example there is one user "administrator" and has authority "ROLE_ADMIN".
I specify my roleHierarchy bean like this:

<bean id="roleHierarchy"
    <property name="hierarchy">
        <value>ROLE_ADMIN > ROLE_CUSTOMER</value>

then i have a method with @Secured annotation:

public Artist getArtist(Long artistId) {
    return dao.getArtist(artistId);

it seems that almost everything works fine with "ROLE_USER", i see acl information in the database,
permissions work fine when inserting and deleting, but when there is only "ROLE_ADMIN", this method gives me an access denied error.
I guess it sees only "ROLE_ADMIN" instead of whole permission tree: "ROLE_ADMIN" > "ROLE_USER".

when dealing with annotations i use:

<global-method-security secured-annotations="enabled"


<bean id="businessAccessDecisionManager"
    <property name="allowIfAllAbstainDecisions" value="false"/>
    <property name="decisionVoters">
            <ref local="roleVoter"/>
            <ref local="aclObjectReadVoter"/>
            <ref local="aclObjectWriteVoter"/>
            <ref local="aclObjectDeleteVoter"/>
            <ref local="aclObjectAdminVoter"/>

Can somebody explain me how to set up RoleHierarchyImpl correctly? or maybe this is some kind of a bug?


Luke Taylor said:

Already raised as SEC-1049, wrt ACLs.

If you want basic support for role hierarchies, then use a RoleHierarchyVoter, instead of a RoleVoter.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment