Spring Security
  1. Spring Security
  2. SEC-1163

RoleHierarchyImpl and @Secured annotation

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Duplicate
    • Affects Version/s: 2.0.4
    • Fix Version/s: 3.0.0 M2
    • Component/s: ACLs
    • Labels:
      None

      Description

      I have a situation. For example there is one user "administrator" and has authority "ROLE_ADMIN".
      I specify my roleHierarchy bean like this:

      <bean id="roleHierarchy"
      class="org.springframework.security.userdetails.hierarchicalroles.RoleHierarchyImpl">
      <property name="hierarchy">
      <value>ROLE_ADMIN > ROLE_CUSTOMER</value>
      </property>
      </bean>

      then i have a method with @Secured annotation:

      @Secured(

      {"ROLE_USER", "AFTER_ACL_READ"}

      )
      public Artist getArtist(Long artistId)

      { return dao.getArtist(artistId); }

      it seems that almost everything works fine with "ROLE_USER", i see acl information in the database,
      permissions work fine when inserting and deleting, but when there is only "ROLE_ADMIN", this method gives me an access denied error.
      I guess it sees only "ROLE_ADMIN" instead of whole permission tree: "ROLE_ADMIN" > "ROLE_USER".

      when dealing with annotations i use:

      <global-method-security secured-annotations="enabled"
      jsr250-annotations="enabled"
      access-decision-manager-ref="businessAccessDecisionManager"/>

      and

      <bean id="businessAccessDecisionManager"
      class="org.springframework.security.vote.AffirmativeBased">
      <property name="allowIfAllAbstainDecisions" value="false"/>
      <property name="decisionVoters">
      <list>
      <ref local="roleVoter"/>
      <ref local="aclObjectReadVoter"/>
      <ref local="aclObjectWriteVoter"/>
      <ref local="aclObjectDeleteVoter"/>
      <ref local="aclObjectAdminVoter"/>
      </list>
      </property>
      </bean>

      Can somebody explain me how to set up RoleHierarchyImpl correctly? or maybe this is some kind of a bug?

        Activity

        Hide
        Luke Taylor added a comment - - edited

        Already raised as SEC-1049, wrt ACLs.

        If you want basic support for role hierarchies, then use a RoleHierarchyVoter, instead of a RoleVoter.

        Show
        Luke Taylor added a comment - - edited Already raised as SEC-1049 , wrt ACLs. If you want basic support for role hierarchies, then use a RoleHierarchyVoter, instead of a RoleVoter.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Eduardas
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: