Spring Security Role Hierarchy issues

Question

I am trying to enable role hierarchy voting in Spring Security when authenticating using Waffle NTML but having some unknown issues in that the inherited roles do not appear

Answer 1

Managed to fix my issues which was down to an omission in my http namespace configuration which I found from hours of debugging the spring security source.

The issue was how the DefaultWebSecurityExpressionHandler was created. In the snipped above it had created it as inner bean inside the bean definition of the accessDecisionManager:

With this the role heirachies are used to determine whether access should be granted when processing rules defined as intercept urls such as:

But if you want to check authorisation using the JSP Authorize taglib as below (this is in freemarker) it will not work as the roleHeirachies do not get taken into account:

<@security.authorize access="hasRole('ROLE_TEST_1)">
    
You have role 1


<@security.authorize access="hasRole('ROLE_TEST_4')">
    
You have role 4

This is because the DefaultWebSecurityExpressionHandler created as an inner bean is only used within the access decision manager but for taglib expressions a NEW default bean will be created (which doesn't use the RoleHierarchy) unless an security http namespace expression-handler is defined.

So, to resolve my issues I created the bean DefaultWebSecurityExpressionHandler and referenced it within my WebExpressionVoter bean definition and also used it as the expression handler as follows:

    .
    . access denied handlers, concurrency control, port mappings etc
    .

    




      



    
        
            
            
                
            
        
    

Making these changes ensures the roleHeirarchies are taken into account for both Web Security Expressions defined as intercept URLs via the http namespace and also expressions using the JSP Authorize taglib.