RoleHierarchy in GrantedAuthorities
I'm using Spring Security 3.0.4.RELEASE and I'm trying to figure out if RoleHierarchy can be used when simply looping through granted Authorities. Below is my config:
So what I want to do is in my method check if the user is ROLE_MANAGER but if the user is ROLE_ADMIN then it should be included (as shown in the hierarchy). It doesn't seem that the granted authorities necessarily includes the other roles so I may have to check use the voter? I've also tried using @PreAuthorize("hasRole('ROLE_MANAGER'") on this method but it doesn't seem to be found. Is it required that @PreAuthorize work on only public methods? Thanks!Code:<beans:bean id="webSecurityExpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler"> <beans:property name="roleHierarchy" ref="roleHierarchy" /> </beans:bean> <!-- An expression handler used to secure methods. This overrides the DefaultMethodSecurityExpressionHandler to include roleHierarchy. --> <beans:bean id = "methodSecurityExpressionHandler" class = "org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler"> <beans:property name = "roleHierarchy" ref ="roleHierarchy"/> </beans:bean> <beans:bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl"> <beans:property name="hierarchy"> <beans:value> ROLE_ADMIN > ROLE_MANAGER ROLE_MANAGER > ROLE_USER ROLE_USER > ROLE_AUTHENTICATED ROLE_AUTHENTICATED > ROLE_UNAUTHENTICATED </beans:value> </beans:property> </beans:bean> <global-method-security pre-post-annotations="enabled" secured-annotations="enabled"> <security:expression-handler ref="methodSecurityExpressionHandler"/> </global-method-security> <!-- security:authorize tags using the url attribute will delegate to this accessDecisionManager --> <beans:bean id="webAccessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased"> <beans:property name="decisionVoters"> <beans:list> <beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter"> <beans:property name="expressionHandler" ref="webSecurityExpressionHandler" /> </beans:bean> </beans:list> </beans:property> </beans:bean> <http auto-config="true" use-expressions="true" access-decision-manager-ref="webAccessDecisionManager"> <form-login login-page="/login" default-target-url="/" always-use-default-target="false" authentication-failure-url="/login?error=authorizationFailed" /> <logout invalidate-session="true" logout-url="/logout" logout-success-url="/login?error=loggedOut" /> <access-denied-handler error-page="/error?id=accessDenied" /> <remember-me key="company-app-remember" /> <!-- ... --> </http> <authentication-manager alias="authenticationManager"> <ldap-authentication-provider user-search-filter="mail={0}" user-search-base="ou=people,o=company" user-context-mapper-ref="customUserDetailsContextMapper" group-search-base="ou=groups,o=company" /> </authentication-manager>
Code:private void clientTaskDtoToClientTask(ClientTask clientTaskToUpdate, ClientTaskDto clientTaskDto) { for (GrantedAuthority authority : SecurityContextHolder.getContext().getAuthentication().getAuthorities()) { if (authority.getAuthority().equals(Roles.ROLE_MANAGER)) { log.info(String.format("Found role %s, setting assignment properties on client task.", Roles.ROLE_MANAGER)); //Update the clientTask fields clientTaskToUpdate.setAssignedEmployee(clientTaskDto.getClientTask().getAssignedEmployee()); clientTaskToUpdate.setDueDate(clientTaskDto.getClientTask().getDueDate()); } } }
Reply With Quote
Originally Posted by dukethrash
