Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incomplete documentation regarding Hierarchical roles. #12766

Closed
istoony opened this issue Feb 22, 2023 · 2 comments
Closed

Incomplete documentation regarding Hierarchical roles. #12766

istoony opened this issue Feb 22, 2023 · 2 comments
Assignees
@jzheaux
Labels
in: docs An issue in Documentation or samples type: enhancement A general enhancement
Milestone
6.0.3

Comments

@istoony
Copy link

istoony commented Feb 22, 2023

On the current 6.0.2 official documentation we have this small sample code related to hierarchical roles:

@Bean
AccessDecisionVoter hierarchyVoter() {
    RoleHierarchy hierarchy = new RoleHierarchyImpl();
    hierarchy.setHierarchy("ROLE_ADMIN > ROLE_STAFF\n" +
            "ROLE_STAFF > ROLE_USER\n" +
            "ROLE_USER > ROLE_GUEST");
    return new RoleHierarchyVoter(hierarchy);
}

This code is using deprecated classes and it is not providing any sample that can be used in the current spring version.
@istoony istoony added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Feb 22, 2023
@istoony istoony changed the title Incomplete documentation regarding hierarchidal roles. Incomplete documentation regarding Hierarchical roles. Feb 22, 2023
@jzheaux
Copy link
Contributor

jzheaux commented Feb 24, 2023

Thanks for the report, @istoony. RoleHierarchy bean configuration is not fully ported over as of 6.0.x. As such, I think what should be done here is add a note about that in the documentation and then update it once completed. I've also added #12783 detailing what needs to be done to support RoleHierarchy bean configuration.

In the meantime, to configure RoleHierarchy for pre-post method security, use DefaultMethodSecurityExpressionHandler:

@Bean 
static RoleHierarchy roleHierarchy() {
    RoleHierarchy hierarchy = new RoleHierarchyImpl();
    hierarchy.setHierarchy("ROLE_ADMIN > ROLE_STAFF\n" +
            "ROLE_STAFF > ROLE_USER\n" +
            "ROLE_USER > ROLE_GUEST");
    return new RoleHierarchyVoter(hierarchy);
}

@Bean
static DefaultMethodSecurityExpressionHandler methodSecurityExpressionHandler(RoleHierarchy roleHierarchy) {
    DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
    expressionHandler.setRoleHierarchy(roleHierarchy);
    return expressionHandler;
}

And to configure it for filter security, use the access(AuthorizationManager) method instead of hasRole, like so:

AuthorityAuthorizationManager<RequestAuthorizationContext> hasRoleUser =
    AuthorityAuthorizationManager.hasRole("USER");
hasRoleUser.setRoleHierarchy(roleHierarchy);

http
    .authorizeHttpRequests((authorize) -> authorize
        .requestMatchers("/needs/user/**").access(hasRoleUser)
        .anyRequest().authenticated()
    )
    // ...

jzheaux added a commit that referenced this issue Feb 24, 2023
@jzheaux
Add Note about RoleHierarchy
109f6e7 
Closes gh-12766
@jzheaux jzheaux mentioned this issue Feb 24, 2023
Closed
@jzheaux jzheaux added this to the 6.0.3 milestone Feb 24, 2023
@jzheaux jzheaux self-assigned this Feb 24, 2023
@jzheaux jzheaux added in: docs An issue in Documentation or samples and removed status: waiting-for-triage An issue we've not yet triaged labels Feb 24, 2023
@super-iterator
Copy link

@jzheaux Thanks for your contribution!

I tried the RoleHierarchy mentioned above, but it seems like there is an issue with it:

java: incompatible types: org.springframework.security.access.vote.RoleHierarchyVoter cannot be converted to org.springframework.security.access.hierarchicalroles.RoleHierarchy.

Casting the return type to RoleHierarchy produces other issues since they are incompatible.

I wonder, how did you manage to make it work?

@pawl1n pawl1n mentioned this issue Apr 12, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: docs An issue in Documentation or samples type: enhancement A general enhancement
Projects
None yet
Milestone
6.0.3
Development

No branches or pull requests
3 participants
@jzheaux @super-iterator @istoony