How to have a super user using Spring Security Framework?

Question

I am using Spring Security to control the authority in my web application.I imported the security tag in my code as below:
<%@ taglib prefix="sec" uri="http://www.springframework.org/security/tags"%>
Then I am using the code block like this to control if the user have access to the specified button:

<sec:authorize ifAnyGranted="addUser">
     <button type="button">Add User</button>
</sec:authorize>

With this code,only the user who have the addUser authority can see this button and use it.

Now my question is:Can we have a super user that even if it doesn't have the addUser authority,he still can see this button?

Answer 1

It seems as a missing requirement, thus I have created an issue in Spring Security repository:

https://github.com/spring-guides/top-spring-security-architecture/issues/5

Answer 2

I'm not really sure that it is the expected answer, but SpringSecurity has a notion of hierachy of roles. That mean you could create a super user role and declare it to contain addUser authority (among others).

That way, any user having the superUser authority will (among other permissions) see your button

References : From Hierarchical Roles in Spring Security reference manual you could write something like

<bean id="roleHierarchy"
        class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
    <property name="hierarchy">
        <value>
            ROLE_SUPER_USER > ROLE_ADD_USER
        </value>
    </property>
</bean>

Answer 3

No, I don't think there is such feature built-in in Spring Security. You can either:

1. have a super user role (authority) that you check for in every authorization check, or

2. give your super user all possible authorities in your authentication provider or user details service.