Reputation: 105
I tried to implement a role hierarchy but it doesn't want to work. everything else works perfectly except that. Here is my spring-security.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns=""
<!-- Enable method-level security via annotations -->
<global-method-security secured-annotations="enabled" pre-post-annotations="enabled"/>
<!-- Configure form-based authentication -->
<http auto-config="true" use-expressions="true" entry-point-ref="securityEntryPoint" >
<intercept-url pattern="/resources/script/jquery-ui/**" access="permitAll" />
<intercept-url pattern="/resources/script/jquery*" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<session-management invalid-session-url="/login.jsp?info=invalid" >
<concurrency-control max-sessions="1" session-registry-alias="sessionRegistry" expired-url="/login.jsp?info=expired" />
<form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=credentials" />
<logout logout-url="/logout" invalidate-session="true" logout-success-url="/login.jsp" />
<!-- Configure a spring security logger listener for logging authentication attempts. -->
<beans:bean id="loggerListener" class=""/>
<!-- Configure a delegating entry point -->
<beans:bean id="securityEntryPoint" class="">
<!-- Requests of type text/html or application/xhtml+xml should be handled by form-based authentication -->
<beans:bean class=""/>
<beans:bean class="">
<beans:property name="loginFormUrl" value="/login.jsp" />
<!-- Otherwise use BASIC authentication by default -->
<beans:property name="defaultEntryPoint">
<beans:bean class="">
<beans:property name="realmName" value="test Web Service" />
<!-- Configure an authentication manager via our defaultUserService -->
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="defaultUserService">
<password-encoder hash="md5" />
<beans:bean id="accessDecisionManager" class="">
<beans:property name="decisionVoters">
<beans:ref bean="roleVoter" />
<beans:ref bean="authenticatedVoter" />
<beans:bean id="roleVoter" class="">
<beans:constructor-arg ref="roleHierarchy" />
<beans:property name="rolePrefix" value="" />
<beans:bean id="roleHierarchy" class="">
<beans:property name="hierarchy">
If i try to access a resource for which PERM_READ_USER_LIST is required, @PreAuthorize("hasRole('PERM_READ_USER_LIST')"), with a user who has the PERM_READ_ALL_USER_LIST it doesn't work, but if he has PERM_READ_USER_LIST, it works. So obviously the rolevoter is not doing its job but I don't get why...
Thank you.
Upvotes: 0
Views: 1515
Reputation: 120851
You have to specify the hirarchy explicite for the MethodSecurityExpressionHandler
See this Stack Overflow question and answer for more details. How to use role-hierarchy in Spring Security 3 with Spring EL?
Upvotes: 1