Announcement Announcement Module
No announcement yet.
Problems getting Role Hierarchy to work with Web Context / annotations Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problems getting Role Hierarchy to work with Web Context / annotations

    I have read many posts and searched quite a lot, but cannot seem to get a role Hierachy to work.

    My main issue at this point seems to be that a spring tag like
    <security:authorize access="hasRole('ROLE_SUPERVISOR')"> does not seem to evaluate to true.

    The roadblock I am running into sees similar to, except that it does work.. sort of.

    My setup is similar to

    I am using expressions, and have also setup global tags to use the hirechy role.

    I am using Spring 3.1 but on JDK 1.5

    When I access a protected /secure/admin URL, I see in my logs, that getReachableGrantedAuthorities() is called.

    19:34:28,062 DEBUG stMatcher:103 - Checking match of request : '/secure/admin'; against '/secure/**'

    19:34:28,063 DEBUG FilterSecurityInterceptor:193 - Secure object: FilterInvocation: URL: /secure/admin; Attributes: [hasRole('ROLE_SUPERVISOR')]

    (Long line trimmed)
    19:34:28,063 DEBUG FilterSecurityInterceptor:298 - Previously Authenticated: [email protected]: .....Principal:Granted Authorities: ..........ROLE_SUPERUSER; Granted Authorities: ROLE_SUPERUSER

    19:34:28,063 DEBUG les.RoleHierarchyImpl:117 - getReachableGrantedAuthorities() - From the roles [ROLE_SUPERUSER] one can reach [ROLE_SUPERUSER, ROLE_SUPERVISOR, ROLE_GUEST, ROLE_USER] in zero or more steps.

    19:34:28,064 DEBUG veBased:65 - Voter: [email protected], returned: 1

    19:34:28,064 DEBUG FilterSecurityInterceptor:214 - Authorization successful

    19:34:28,064 DEBUG FilterSecurityInterceptor:226 - RunAsManager did not change Authentication object

    I tried to set the access manager ref in global-security tags, but that resulted in an exception with AccessDecisionManager does not support secure object.

    I guess the main thing I am missing is the ability to inject this decissionmanager into the Spring EL context.

    Any ideas ?

  • #2
    I finally found the answer in the forums + with lots of trial and error.

    A complete config is

    	<bean id="roleHierarchy"   class="">
    	    <property name="hierarchy">
          	    	       ROLE_SUPERUSER > ROLE_SUPERVISOR
             		       ROLE_SUPERVISOR > ROLE_USER
                       	       ROLE_USER > ROLE_GUEST
    	<bean id="expressionHandler" class="">
    		<property name="roleHierarchy" ref="roleHierarchy" />
     	<bean id="accessDecisionManager" class="">
    			<bean class="">
    				<property name="expressionHandler" ref="expressionHandler"/>
                               	<bean class=""/>
           <s:http security="none" pattern="/login" access-decision-manager-ref="accessDecisionManager"/>
           <s:http use-expressions="true" access-decision-manager-ref="accessDecisionManager">
            <s:intercept-url pattern="/secure/**" access="hasRole('ROLE_SUPERVISOR')"/>
            <s:intercept-url pattern="/**" access="isAuthenticated()" />
            <s:form-login login-page="/login"  authentication-failure-url="/login?err=true" always-use-default-target="true" default-target-url="/MakeARequest"/>
            <s:access-denied-handler error-page="/AccessDenied"/>

    In the JSP I use

    <sec:authorize access="hasRole('ROLE_SUPERVISOR')">
    Because you are are Supervisor or above, you can view the db