Description
After migration to Spring Boot 3.0.+ and provided Spring Security 6 the code behavior in the Example 17 - Authorization module is not worked in the same way as it was in Spring Security 5. This happened because of the broken support of the RoleHierarchy feature by an AuthorityAuthorizationManager.
The problem was found by a community and corresponding issues were logged:
- Add Authority String AuthorizationManager spring-projects/spring-security#12231
- AuthorityAuthorizationManager never using defined role hierarchy spring-projects/spring-security#12473
- AuthorizeHttpRequestsConfigurer.AuthorizedUrl.hasRole should look up for a RoleHierarchy bean in the context spring-projects/spring-security#12505
and some of them are fixed and will be released as a part of the Spring Security 6.1.+ version.
So work of code in this module should be fixed after updating to the latest version of Spring Security that will contain the fix.
During implementation pay attention that all tests from https://github.com/vrudas/spring-framework-examples/blob/main/example-17-authorization/src/test/java/io/sfe/authorization/AccessCheckControllerTest.java are executed successfully 🧪