Summary
I've noticed a strange behaviour when setting up a RoleHierarchy in a simple Spring Boot application, when trying to use it with org.springframework.security.taglibs.authz.AbstractAuthorizeTag
Actual Behavior
Effektively two DefaultWebSecurityExpressionHandler get created:
|
private DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler(); |
|
|
|
private SecurityExpressionHandler<FilterInvocation> expressionHandler = defaultWebSecurityExpressionHandler; |
|
DefaultWebSecurityExpressionHandler defaultHandler = new DefaultWebSecurityExpressionHandler(); |
|
AuthenticationTrustResolver trustResolver = http |
|
.getSharedObject(AuthenticationTrustResolver.class); |
|
if (trustResolver != null) { |
|
defaultHandler.setTrustResolver(trustResolver); |
|
} |
|
ApplicationContext context = http.getSharedObject(ApplicationContext.class); |
|
if (context != null) { |
|
String[] roleHiearchyBeanNames = context.getBeanNamesForType(RoleHierarchy.class); |
|
if (roleHiearchyBeanNames.length == 1) { |
|
defaultHandler.setRoleHierarchy(context.getBean(roleHiearchyBeanNames[0], RoleHierarchy.class)); |
|
} |
|
String[] grantedAuthorityDefaultsBeanNames = context.getBeanNamesForType(GrantedAuthorityDefaults.class); |
|
if (grantedAuthorityDefaultsBeanNames.length == 1) { |
|
GrantedAuthorityDefaults grantedAuthorityDefaults = context.getBean(grantedAuthorityDefaultsBeanNames[0], GrantedAuthorityDefaults.class); |
|
defaultHandler.setDefaultRolePrefix(grantedAuthorityDefaults.getRolePrefix()); |
|
} |
|
String[] permissionEvaluatorBeanNames = context.getBeanNamesForType(PermissionEvaluator.class); |
|
if (permissionEvaluatorBeanNames.length == 1) { |
|
PermissionEvaluator permissionEvaluator = context.getBean(permissionEvaluatorBeanNames[0], PermissionEvaluator.class); |
|
defaultHandler.setPermissionEvaluator(permissionEvaluator); |
|
} |
|
} |
The second one picks up my RoleHierarchy bean, but the first doesnt.
org.springframework.security.taglibs.authz.AbstractAuthorizeTag#getExpressionHandler resolves the first handler, therefore the RoleHierarchy is ignored.
Expected Behavior
I'd expect AbstractAuthorizeTag to use my RoleHierarchy when resolving hasRole() expressions.
Configuration
@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("admin").password("{noop}admin").roles("admin").and()
.withUser("user").password("{noop}user").roles("user");
}
@Bean
public RoleHierarchy roleHierarchy() {
RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl();
roleHierarchy.setHierarchy("ROLE_admin > ROLE_user");
return roleHierarchy;
}
}Version
Spring Security 5.2.0.M3
Sample
see #2997
see #4115
see 8a66d0c#diff-23827daef0917bb5218098c8108b9125
