SEC-1925: Access/check Spring Security hierarchical roles programmatically

[spring-projects-issues]

Benjamin Muschko (Migrated from SEC-1925) said:

In my project I defined multiple hierarchical roles e.g. ROLE_USER > SOME_OTHER_ROLE. When securing controller methods using the @Secured annotation it works just fine. However, I also would like to check the role programmatically in my code for one use case. Using the following approach I always get a false even though the user inherits the role through hierarchical role definition:

SecurityContextHolderAwareRequestWrapper#isUserInRole(String)

Also getting the roles via SecurityContextHolder.getContext().getAuthentication().getAuthorities() doesn't give me the hierarchical roles. I'd expect them to be retrieved as well.

This might be a bug in SecurityContextHolderAwareRequestWrapper. Right now I am using this method to make it work:

RoleVoter#extractAuthorities(Authentication)

[spring-projects-issues]

Rob Winch said:

It sounds as though you are using the RoleHiearchyVoter which will only impact Spring Security's voting semantics. Can you confirm this and/or provide your configuration? In order to populate the Roles in the Authentication, you should leverage the work done in SEC-1492. In short, you should set a GrantedAuthoritiesMapper on the AuthenticationProvider that is loading your UserDetails. This will ensure the user gets populated with all the roles.

[spring-projects-issues]

Rob Winch said:

Resolving as invalid per previous comment and no further feedback