Reputation: 8043
Grails: SpringSecurity roleHierarchy not working as expected
I am using the springsecurity plugin in Grails 2.0.1. My role hierarchy and other s2 properties are shown below.
grails.plugins.springsecurity.userLookup.userDomainClassName = 'myApp.security.User'
grails.plugins.springsecurity.userLookup.authorityJoinClassName = 'myApp.security.UserRole'
grails.plugins.springsecurity.authority.className = 'myApp.security.Role'
grails.plugins.springsecurity.successHandler.defaultTargetUrl="/index"
grails.plugins.springsecurity.securityConfigType = "Annotation"
//grails.plugins.springsecurity.rejectIfNoRule = true
grails.plugins.springsecurity.roleHierarchy = '''
ROLE_ADMIN > ROLE_OWNER_TRANSFER_PRIVILEGE
ROLE_OWNER_TRANSFER_PRIVILEGE > ROLE_OWNER
ROLE_OWNER > ROLE_USER_WRITE
'''
As per the documentation, if my @secured annotation allows ROLE_USER_WRITE, then all other roles need to be allowed access as well. Similarly, if I were to use a tag, then ROLE_OWNER, ROLE_OWNER_TRANSFER_PRIVILEGE and ROLE_ADMIN must equate to true. But, this doesn't work, instead I am forced to list each role. I checked the debug logs and it looks like this
2012-06-01 09:28:14,802 [pool-5-thread-1] DEBUG hierarchicalroles.RoleHierarchyImpl - setHierarchy() - The following role hierarchy was set:
ROLE_ADMIN > ROLE_OWNER_TRANSFER_PRIVILEGE
ROLE_OWNER_TRANSFER_PRIVILEGE > ROLE_OWNER
ROLE_OWNER > ROLE_USER_WRITE
2012-06-01 09:28:14,802 [pool-5-thread-1] DEBUG hierarchicalroles.RoleHierarchyImpl - buildRolesReachableInOneStepMap() - From role ROLE_ADMIN one can reach r
ole ROLE_OWNER_TRANSFER_PRIVILEGE in one step.
2012-06-01 09:28:14,802 [pool-5-thread-1] DEBUG hierarchicalroles.RoleHierarchyImpl - buildRolesReachableInOneStepMap() - From role ROLE_OWNER_TRANSFER_PRIVIL
EGE one can reach role ROLE_OWNER in one step.
2012-06-01 09:28:14,802 [pool-5-thread-1] DEBUG hierarchicalroles.RoleHierarchyImpl - buildRolesReachableInOneStepMap() - From role ROLE_OWNER one can reach r
ole ROLE_USER_WRITE in one step.
2012-06-01 09:28:14,803 [pool-5-thread-1] DEBUG hierarchicalroles.RoleHierarchyImpl - buildRolesReachableInOneOrMoreStepsMap() - From role ROLE_ADMIN one can
reach [ROLE_OWNER_TRANSFER_PRIVILEGE, ROLE_USER_WRITE, ROLE_OWNER] in one or more steps.
...
It seems like the role hierarchies are being created, but they are not enforced while the application is running. What am I doing wrong and how do I get this to work as per the documentation?
Upvotes: 3
Views: 1297
Answers (1)
Reputation: 8043
roleHierarchies need to have a complete tree structure to work. In my question I represented half the hierarchy, it turned out be an incomplete tree representation. Something like :
ROLE_ADMIN > ROLE_OWNER_TRANSFER_PRIVILEGE
ROLE_OWNER_TRANSFER_PRIVILEGE > ROLE_OWNER
ROLE_OWNER > ROLE_USER_WRITE
ROLE_USER > ROLE_READ
Here the ROLE_USER and ROLE_USER_WRITE are disconnected subtrees of hierarchies and spring security wasn't, understandably, able to resolve this while resolving permissions.
Upvotes: 1
Related Questions
- Spring Security Role Hierarchy not working using Java Config
- grails spring security role and group
- Spring Security Role Domain class not recognized by Grails
- Grant role to "class" in spring security
- Grails 2.4.4 spring security role doesn't apply to user
- Spring security @secure not working with role hierarchy in Grails
- Grails Security Annotations, @Secured(['ROLE_ADMIN']) not displaying content for role
- Spring security @secure not working with role hierarchy
- Spring security - grails restrict with in role
- Access/check Spring Security hierarchical roles programmatically