Skip to content

Support RoleHierarchy Bean in authorizeHttpRequests Kotlin DSL #15136

New issue
New issue
Closed
Closed
Support RoleHierarchy Bean in authorizeHttpRequests Kotlin DSL#15136
Assignees
marcusdacoregio
Labels
in: configAn issue in spring-security-configtype: enhancementA general enhancement
Milestone
 
6.4.0-M1
@ttasjwi

Description

@ttasjwi
ttasjwi
opened on May 23, 2024

Hello, Spring Security Team.

I have encountered an issue when configuring security with Kotlin DSL and RoleHierarchy. The behavior seems inconsistent compared to the traditional DSL configuration.

Controller

@RestController
class SecurityController {

    @GetMapping("/")
    fun index(): String {
        return "index"
    }

    @GetMapping("/user")
    fun user(): String {
        return "user"
    }

    @GetMapping("/db")
    fun db(): String {
        return "db"
    }

    @GetMapping("/admin")
    fun admin(): String {
        return "admin"
    }
}

UserDetailsService

    @Bean
    fun userDetailsService(): UserDetailsService {
        val user = User.withUsername("user").password("{noop}1111").roles("USER").build()
        val db = User.withUsername("db").password("{noop}1111").roles("DB").build()
        val admin = User.withUsername("admin").password("{noop}1111").roles("ADMIN").build()
        return InMemoryUserDetailsManager(user, db, admin)
    }

RoleHierarchy Bean

The RoleHierarchy bean is configured as follows:

    @Bean
    fun roleHierarchy(): RoleHierarchy {
        val roleHierarchy = RoleHierarchyImpl()
        roleHierarchy.setHierarchy(
            """
            ROLE_ADMIN > ROLE_DB
            ROLE_DB > ROLE_USER
            ROLE_USER > ROLE_ANONYMOUS
        """.trimIndent()
        )
        return roleHierarchy
    }

Traditional DSL Configuration

Using the traditional DSL configuration, RoleHierarchy works as expected:

@Bean
fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
    http.authorizeHttpRequests {
        it
            .requestMatchers("/user").hasRole("USER")
            .requestMatchers("/admin").hasRole("ADMIN")
            .requestMatchers("/db").hasRole("DB")
    }
        .formLogin(Customizer.withDefaults())
        .csrf { it.disable() }
    return http.build()
}

Kotlin DSL Configuration

However, when using the Kotlin DSL configuration, the RoleHierarchy seems to behave inconsistently:

import org.springframework.security.config.annotation.web.invoke

@Bean
fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
    http {
        authorizeHttpRequests {
            authorize("/user", hasRole("USER"))
            authorize("/admin", hasRole("ADMIN"))
            authorize("/db", hasRole("DB"))
            authorize(anyRequest, authenticated)
        }
        formLogin { }
        csrf { disable() }
    }
    return http.build()
}

Environment

  • Spring Boot : 3.2.5
  • spring security: 6.2.4
  • kotlin version : 1.9.23

Metadata

Metadata

Assignees

Labels

in: configAn issue in spring-security-configtype: enhancementA general enhancement

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions