Closed
Description
AclAuthorizationStrategyImpl does not check reachable granted authorities when checking principal's authorities to determine right
Spring Security has been configured using role hierarchies but Spring Security ACL does not consider this when evaluating a principals authorities to determine right.
Actual Behavior
From AclAuthorizationStrategyImpl .securityCheck(Acl, int) method:
// Iterate this principal's authorities to determine right
if (authentication.getAuthorities().contains(requiredAuthority)) {
return;
}
Expected Behavior
The AclAuthorizationStrategyImpl .securityCheck(Acl, int) method should do something along the lines of:
// Iterate this principal's authorities to determine right
Collection<? extends GrantedAuthority> authorities = this.roleHierarchy
.getReachableGrantedAuthorities(authentication.getAuthorities());
if (authorities.contains(requiredAuthority)) {
return;
}
Configuration
SpringACLConfig.java
...
@Bean
public AclAuthorizationStrategyImpl aclAuthorizationStrategy() {
AclAuthorizationStrategyImpl aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(
new SimpleGrantedAuthority("ROLE_ACL_OWNERSHIP_ADMIN"), // grant ACL authority to CHANGE_OWNERSHIP
new SimpleGrantedAuthority("ROLE_ACL_AUDITING_ADMIN"), // grant ACL authority to CHANGE_AUDITING
new SimpleGrantedAuthority("ROLE_ACL_GENERAL_ADMIN")); // grant ACL authority to CHANGE_GENERAL
aclAuthorizationStrategy.setSidRetrievalStrategy(new SidRetrievalStrategyImpl(roleHierarchy()));
return aclAuthorizationStrategy;
}
...
Version
Using io.spring.platform:platform-bom:Athens-SR1 & org.springframework.boot:spring-boot-gradle-plugin:1.4.2.RELEASE