Skip to content

AuthorityAuthorizationManager never using defined role hierarchy #12473

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
davidvelasco-lk opened this issue Dec 28, 2022 · 4 comments · Fixed by #12505
Closed

AuthorityAuthorizationManager never using defined role hierarchy #12473

davidvelasco-lk opened this issue Dec 28, 2022 · 4 comments · Fixed by #12505
Assignees
@jzheaux
Labels
in: config An issue in spring-security-config status: ideal-for-contribution An issue that we actively are looking for someone to help us with type: enhancement A general enhancement
Milestone
6.1.0-M1

Comments

@davidvelasco-lk
Copy link

davidvelasco-lk commented Dec 28, 2022
edited
Loading

Describe the bug
Defined role hierarchy is not picked up by AuthorityAuthorizationManager.

  • Role hierarchy: ROLE_SUPERUSER > ROLE_USER
  • endpoint GET /greet is authorized to role USER
  • User user is configured as SUPERUSER. According to defined role hierarchy, access to resource should be granted.

After debugging I found that AuthorityAuthorizationManager is always using NullRoleHierarchy. This setter is never being assigned to the one I created.

Env: spring boot 3.0.0 / spring security 6.0.0
Context: Upgrading from spring boot 2.7.x to spring boot 3.0.0

To Reproduce

  1. Start the example
  2. Go to localhost:8080/greet
  3. log in should be shown
    user: user
    password: pass
  4. response code is 403, forbidden.

Expected behavior
Should return "hello world" string

Sample

Example project.
@davidvelasco-lk davidvelasco-lk added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Dec 28, 2022
@davidvelasco-lk
Copy link
Author

davidvelasco-lk commented Dec 28, 2022
edited
Loading

I found this way to enable role hierarchies. Is this the expected way to do it?

  @Bean
  public SecurityFilterChain configure(
      HttpSecurity http,
      RequestHeaderAuthenticationFilter headerAuthenticationFilter) throws Exception {

    var auth1 = AuthorityAuthorizationManager.<RequestAuthorizationContext>hasRole("USER");
    auth1.setRoleHierarchy(roleHierarchy());
    
    http
        .authorizeHttpRequests(auth -> auth
          .requestMatchers(HttpMethod.GET).access(auth1)
        );
    return http.build();
  }

 @Bean
  public RoleHierarchy roleHierarchy() {
    RoleHierarchyImpl r = new RoleHierarchyImpl();
    r.setHierarchy("ROLE_SUPERUSER > ROLE_USER");
    return r;
  }

@jzheaux
Copy link
Contributor

jzheaux commented Jan 3, 2023

Thanks for reaching out, @davidvelasco-lk. This is what is supported at this point, yes.

It would be nice if AuthorizeHttpRequestsConfigurer.AuthorizeUrl#hasRole and other related methods looked for the RoleHierarchy bean and called AuthorityAuthorizationManager's setter. Are you able to submit a PR that adds this functionality?

@jzheaux jzheaux self-assigned this Jan 3, 2023
@jzheaux jzheaux added in: config An issue in spring-security-config type: enhancement A general enhancement status: ideal-for-contribution An issue that we actively are looking for someone to help us with and removed status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Jan 3, 2023
@evgeniycheban
Copy link
Contributor

Hi, @jzheaux I should've added this functionality in gh-12231, but I didn't take into account such use case, I'm going to add this in a new PR, so the user will be able to define RoleHierarchy as a @Bean and it will be determined by the AuthorizeHttpRequestsConfigurer and set to the AuthorityAuthorizationManager using its setter.

@evgeniycheban evgeniycheban mentioned this issue Jan 8, 2023
Merged
evgeniycheban added a commit to evgeniycheban/spring-security that referenced this issue Jan 8, 2023
@evgeniycheban
AuthorizeHttpRequestsConfigurer.AuthorizedUrl.hasRole should look up …
93ca774 
…for a RoleHierarchy bean in the context

Closes spring-projectsgh-12473
jzheaux pushed a commit that referenced this issue Jan 10, 2023
@evgeniycheban @jzheaux
AuthorizeHttpRequestsConfigurer.AuthorizedUrl.hasRole should look up …
d84b8d2 
…for a RoleHierarchy bean in the context

Closes gh-12473
@helloKeyur
Copy link

@davidvelasco-lk & @jzheaux to authorized if we want enable method level security. and secure endpoints with annotation in controller level not in SpringSecurityConfig Class level then how we can configure that?
in Spring Boot 3 & spring security 6.

@jcheron jcheron mentioned this issue Mar 14, 2023
Open
@vrudas vrudas mentioned this issue Mar 14, 2023
Open
@evgeniycheban evgeniycheban mentioned this issue May 17, 2023
Closed
@jzheaux jzheaux added this to the 6.1.0-M1 milestone May 18, 2023
@marcusdacoregio marcusdacoregio mentioned this issue May 25, 2023
Closed
@bwgjoseph bwgjoseph mentioned this issue Sep 30, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: config An issue in spring-security-config status: ideal-for-contribution An issue that we actively are looking for someone to help us with type: enhancement A general enhancement
Projects
None yet
Milestone
6.1.0-M1
4 participants
@jzheaux @evgeniycheban @helloKeyur @davidvelasco-lk