mingchuno mingchuno - 4 months ago 171
Java Question

Spring Security Role Hierarchy not working using Java Config

First of all, I am new to Java Spring Framework. So forgive me if I did not provide enough info. I have tried to add RoleHierarchy into my app but it did not work. Below are the codes I have tried.




SecurityConfig.java

// These config is try to set up a user Role Hierarchy
@Bean
public RoleHierarchy roleHierarchy() {
System.out.println("arrive public RoleHierarchy roleHierarchy()");
RoleHierarchyImpl r = new RoleHierarchyImpl();
r.setHierarchy("ROLE_ADMIN > ROLE_STAFF");
r.setHierarchy("ROLE_STAFF > ROLE_USER");
r.setHierarchy("ROLE_DEVELOPER > ROLE_USER");
r.setHierarchy("ROLE_USER > ROLE_GUEST");
return r;
}

@Bean
public AffirmativeBased defaultAccessDecisionManager(RoleHierarchy roleHierarchy){
System.out.println("arrive public AffirmativeBased defaultAccessDecisionManager()");
List<AccessDecisionVoter> decisionVoters = new ArrayList<>();

// webExpressionVoter
WebExpressionVoter webExpressionVoter = new WebExpressionVoter();
DefaultWebSecurityExpressionHandler
expressionHandler = new DefaultWebSecurityExpressionHandler();
expressionHandler.setRoleHierarchy(roleHierarchy);
webExpressionVoter.setExpressionHandler(expressionHandler);

decisionVoters.add(webExpressionVoter);
decisionVoters.add(roleHierarchyVoter(roleHierarchy));
// return new AffirmativeBased(Arrays.asList((AccessDecisionVoter) webExpressionVoter));
return new AffirmativeBased(decisionVoters);
}

@Bean
public RoleHierarchyVoter roleHierarchyVoter(RoleHierarchy roleHierarchy) {
System.out.println("arrive public RoleHierarchyVoter roleHierarchyVoter");
return new RoleHierarchyVoter(roleHierarchy);
}

@Override
protected void configure(HttpSecurity http) throws Exception {
// skipping some codes
http
// skipping some codes
.accessDecisionManager(defaultAccessDecisionManager(roleHierarchy()))
// skipping some codes
}





MethodSecurityConfig.java

@Configuration
@EnableGlobalMethodSecurity(prePostEnabled = true, proxyTargetClass = true)
public class MethodSecurityConfig extends GlobalMethodSecurityConfiguration {

@Inject
private SecurityConfig securityConfig;

@Override
protected AuthenticationManager authenticationManager() throws Exception {
return securityConfig.authenticationManagerBean();
}

@Override
protected MethodSecurityExpressionHandler createExpressionHandler() {
System.out.println("arrive protected MethodSecurityExpressionHandler createExpressionHandler()");
DefaultMethodSecurityExpressionHandler d = new DefaultMethodSecurityExpressionHandler();
d.setRoleHierarchy(securityConfig.roleHierarchy());
return d;
}

}





And I have a
UserDetailsServiceImpl implements UserDetailsService
that provide the
principal
,
Authentication
and
GrantedAuthority


Finally I have some APIs:

@PreAuthorize("hasRole('ROLE_STAFF')")
@RequestMapping(value = "/api/v1/contactUs", method = RequestMethod.GET)

@PreAuthorize("hasRole('ROLE_DEVELOPER')")
@RequestMapping(value = "/api/v1/system", method = RequestMethod.GET)





The problem is now if I login as ROLE_STAFF, ROLE_DEVELOPER, ROLE_ADMIN, I got the following result.

| API | ROLE_STAFF | ROLE_DEVELOPER | ROLE_ADMIN |
|-----------|------------|----------------|------------|
| contactUs | 200 | 403 | 403 |
| system | 403 | 200 | 403 |


As you can see
ROLE_STAFF
and
ROLE_DEVELOPER
work just fine. But I want
ROLE_ADMIN
as a super role of both and it didn't work.

FYI, I am using spring-security 3.2.5.RELEASE

Answer

Everytime I want to implement a hierarchy of roles with Spring Security and Java config, I use the following approach:

  1. We have to add a RoleHierarchyImpl bean into context (You see, that I use multiple roles to build a hierarchy):

    @Bean
    public RoleHierarchyImpl roleHierarchy() {
        RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl();
        roleHierarchy.setHierarchy("ROLE_ADMIN > ROLE_DBA ROLE_DBA > ROLE_USER ");
        return roleHierarchy;
    }
    
  2. Then we need to create web expression handler to pass obtained hierarchy to it:

    private SecurityExpressionHandler<FilterInvocation> webExpressionHandler() {
        DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
        defaultWebSecurityExpressionHandler.setRoleHierarchy(roleHierarchy());
        return defaultWebSecurityExpressionHandler;
    }
    
  3. The final step is to add expressionHandler into http.authorizeRequests():

            @Override
            protected void configure(HttpSecurity http) throws Exception {
                http
                   .authorizeRequests()
                        .expressionHandler(webExpressionHandler())
                        .antMatchers("/admin/**").access("(hasRole('ROLE_ADMIN') or hasRole('ROLE_DBA')) and isFullyAuthenticated()")
                        .antMatchers("/dba").access("hasRole('ROLE_DBA') and isFullyAuthenticated()")
                        .antMatchers("/dba/**").access("hasRole('ROLE_USER')")
                        .and()
                   .requiresChannel()
                        .antMatchers("/security/**").requiresSecure()
                        .anyRequest().requiresInsecure()
                        .and()
                   .formLogin()
                        .loginPage("/login")
                        .failureUrl("/login?auth=fail")
                        .usernameParameter("username")
                        .passwordParameter("password")
                        .defaultSuccessUrl("/admin")
                        .permitAll()
                        .and()
                   .logout()
                            .logoutUrl("/logout")
                            .deleteCookies("remember-me")
                            .invalidateHttpSession(true)
                            .logoutSuccessUrl("/index")
                            .permitAll()
                            .and()
                   .csrf()
                            .and()
                   .rememberMe().tokenValiditySeconds(1209600)
                            .and()
                   .exceptionHandling().accessDeniedPage("/403")
                            .and()
                   .anonymous().disable()
                   .addFilter(switchUserFilter());
            }
    

Result: in this particular example we try to visit /dba section after we have logged in using admin user (ROLE_ADMIN). Before we created a hierarchy, we had an access denied result, but now we can visit this section without any problems.