Announcement Announcement Module
Collapse
No announcement yet.
Problems getting Role Hierarchy to work with Web Context / annotations Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problems getting Role Hierarchy to work with Web Context / annotations

    I have read many posts and searched quite a lot, but cannot seem to get a role Hierachy to work.

    My main issue at this point seems to be that a spring tag like
    <security:authorize access="hasRole('ROLE_SUPERVISOR')"> does not seem to evaluate to true.



    The roadblock I am running into sees similar to, except that it does work.. sort of.

    http://forum.springsource.org/showth...oyment-example


    My setup is similar to http://forum.springsource.org/archiv...p/t-98223.html

    I am using expressions, and have also setup global tags to use the hirechy role.


    I am using Spring 3.1 but on JDK 1.5

    When I access a protected /secure/admin URL, I see in my logs, that getReachableGrantedAuthorities() is called.






    19:34:28,062 DEBUG org.springframework.security.web.util.AntPathReque stMatcher:103 - Checking match of request : '/secure/admin'; against '/secure/**'

    19:34:28,063 DEBUG org.springframework.security.web.access.intercept. FilterSecurityInterceptor:193 - Secure object: FilterInvocation: URL: /secure/admin; Attributes: [hasRole('ROLE_SUPERVISOR')]


    (Long line trimmed)
    19:34:28,063 DEBUG org.springframework.security.web.access.intercept. FilterSecurityInterceptor:298 - Previously Authenticated: org.springframework.security.authentication.Userna mePasswordAuthenticationToken@7a15479b: .....Principal:Granted Authorities: ..........ROLE_SUPERUSER; Granted Authorities: ROLE_SUPERUSER



    19:34:28,063 DEBUG org.springframework.security.access.hierarchicalro les.RoleHierarchyImpl:117 - getReachableGrantedAuthorities() - From the roles [ROLE_SUPERUSER] one can reach [ROLE_SUPERUSER, ROLE_SUPERVISOR, ROLE_GUEST, ROLE_USER] in zero or more steps.

    19:34:28,064 DEBUG org.springframework.security.access.vote.Affirmati veBased:65 - Voter: org.springframework.security.web.access.expression .WebExpressionVoter@335297, returned: 1


    19:34:28,064 DEBUG org.springframework.security.web.access.intercept. FilterSecurityInterceptor:214 - Authorization successful

    19:34:28,064 DEBUG org.springframework.security.web.access.intercept. FilterSecurityInterceptor:226 - RunAsManager did not change Authentication object



    I tried to set the access manager ref in global-security tags, but that resulted in an exception with AccessDecisionManager does not support secure object.


    I guess the main thing I am missing is the ability to inject this decissionmanager into the Spring EL context.


    Any ideas ?

  • #2
    I finally found the answer in the forums + with lots of trial and error.

    A complete config is

    Code:
    	
    
    
    
    	<bean id="roleHierarchy"   class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
    	    <property name="hierarchy">
    	    	<value>
          	    	       ROLE_SUPERUSER > ROLE_SUPERVISOR
             		       ROLE_SUPERVISOR > ROLE_USER
                       	       ROLE_USER > ROLE_GUEST
            	              </value>
    	    </property>
    	</bean>
    
    
    	
    	<bean id="expressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
    		<property name="roleHierarchy" ref="roleHierarchy" />
    	</bean>
    
    
    
    
     	<bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
     	   <constructor-arg>
                            <list>
    
    			<bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
    				<property name="expressionHandler" ref="expressionHandler"/>
    			</bean>
    			
                               	<bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
            	
    		</list>
                    </constructor-arg>
            </bean>
        
    
    
    
           <s:http security="none" pattern="/login" access-decision-manager-ref="accessDecisionManager"/>
    	
    		
    	
           <s:http use-expressions="true" access-decision-manager-ref="accessDecisionManager">
        	
        
            <s:intercept-url pattern="/secure/**" access="hasRole('ROLE_SUPERVISOR')"/>
            <s:intercept-url pattern="/**" access="isAuthenticated()" />
    
            <s:form-login login-page="/login"  authentication-failure-url="/login?err=true" always-use-default-target="true" default-target-url="/MakeARequest"/>
    
            <s:anonymous/>
            <s:logout/>
            <s:access-denied-handler error-page="/AccessDenied"/>
            
        </s:http>

    In the JSP I use


    <sec:authorize access="hasRole('ROLE_SUPERVISOR')">
    Because you are are Supervisor or above, you can view the db
    </sec:authorize>

    Comment

    Working...
    X