sec:authorize with role hierarchy not working
I can't get sec:authorize hasRole() to work with the role hierarchy. If I have a user with role ROLE_BOSS which is the parent of ROLE_WORKER, then <sec:authorize access="hasRole('ROLE_WORKER')"> is false for some reason. In my service classes @PreAuthorize("hasRole('ROLE_WORKER')") does work however. I assumed they both used the same evaluator, so why doesn't the taglib work? Thanks for the help.
JSP:
-config.xml security:Code:<sec:authorize access="hasRole('ROLE_BOSS')"> <p>This shows up.</p> </sec:authorize> <sec:authorize access="hasRole('ROLE_WORKER')"> <p>This does not show up, but should.</p> </sec:authorize>
Code:<bean id="expressionHandler" class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler"> <property name="permissionEvaluator" ref="permissionEvaluator"/> <property name="roleHierarchy" ref="roleHierarchy"/> </bean> <sec:global-method-security pre-post-annotations="enabled"> <sec:expression-handler ref="expressionHandler"/> </sec:global-method-security> <bean id="permissionEvaluator" class="com.myapp.security.MyPermissionEvaluator"> <constructor-arg index="0"> <map key-type="java.lang.String" value-type="com.myapp.security.Permission"> <entry key="contractReadAccess" value-ref="contractReadPermission"/> <entry key="contractWriteAccess" value-ref="contractWritePermission"/> </map> </constructor-arg> </bean> <bean id="contractReadPermission" class="com.myapp.security.ContractReadPermission"/> <bean id="contractWritePermission" class="com.myapp.security.ContractWritePermission"/> <sec:http use-expressions="true" access-decision-manager-ref="accessDecisionManager"> <sec:intercept-url pattern="/worker/**" access="isAuthenticated()" requires-channel="https"/> <sec:intercept-url pattern="/boss/**" access="hasRole('ROLE_BOSS')" requires-channel="https"/> <sec:form-login login-page="/login" authentication-failure-url="/login?login_error=1" authentication-success-handler-ref="successHandler"/> <sec:logout logout-url="/logout" logout-success-url="/login" invalidate-session="true"/> <sec:remember-me/> </sec:http> <bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased"> <constructor-arg> <list> <ref bean="roleVoter" /> <bean class="org.springframework.security.web.access.expression.WebExpressionVoter"> <property name="expressionHandler"> <bean class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler"> <property name="roleHierarchy" ref="roleHierarchy"/> </bean> </property> </bean> <bean class="org.springframework.security.access.vote.AuthenticatedVoter"/> </list> </constructor-arg> </bean> <bean id="roleVoter" class="org.springframework.security.access.vote.RoleHierarchyVoter"> <constructor-arg ref="roleHierarchy" /> </bean> <bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl"> <property name="hierarchy"> <value> ROLE_BOSS > ROLE_WORKER </value> </property> </bean> <sec:authentication-manager alias="authenticationManager"> <sec:authentication-provider user-service-ref="myUserDetailsService"/> </sec:authentication-manager>
Reply With Quote
