Skip to content

Commit 6f4d051

Browse files
evgeniychebaneleftherias
evgeniycheban
authored and
eleftherias
committed
DefaultWebSecurityExpressionHandler uses RoleHierarchy bean
Fixes gh-7059
1 parent e146a7c commit 6f4d051

File tree

2 files changed

+37
-2
lines changed

2 files changed

+37
-2
lines changed

config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*
2-
* Copyright 2002-2018 the original author or authors.
2+
* Copyright 2002-2020 the original author or authors.
33
*
44
* Licensed under the Apache License, Version 2.0 (the "License");
55
* you may not use this file except in compliance with the License.
@@ -31,6 +31,7 @@
3131
import org.springframework.http.HttpMethod;
3232
import org.springframework.security.access.PermissionEvaluator;
3333
import org.springframework.security.access.expression.SecurityExpressionHandler;
34+
import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
3435
import org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder;
3536
import org.springframework.security.config.annotation.ObjectPostProcessor;
3637
import org.springframework.security.config.annotation.SecurityBuilder;
@@ -74,6 +75,7 @@
7475
* @see WebSecurityConfiguration
7576
*
7677
* @author Rob Winch
78+
* @author Evgeniy Cheban
7779
* @since 3.2
7880
*/
7981
public final class WebSecurity extends
@@ -385,6 +387,11 @@ public void setApplicationContext(ApplicationContext applicationContext)
385387
throws BeansException {
386388
this.defaultWebSecurityExpressionHandler
387389
.setApplicationContext(applicationContext);
390+
391+
try {
392+
this.defaultWebSecurityExpressionHandler.setRoleHierarchy(applicationContext.getBean(RoleHierarchy.class));
393+
} catch (NoSuchBeanDefinitionException e) {}
394+
388395
try {
389396
this.defaultWebSecurityExpressionHandler.setPermissionEvaluator(applicationContext.getBean(
390397
PermissionEvaluator.class));

config/src/test/java/org/springframework/security/config/annotation/web/configuration/WebSecurityConfigurationTests.java

Lines changed: 29 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*
2-
* Copyright 2002-2018 the original author or authors.
2+
* Copyright 2002-2020 the original author or authors.
33
*
44
* Licensed under the Apache License, Version 2.0 (the "License");
55
* you may not use this file except in compliance with the License.
@@ -32,6 +32,8 @@
3232
import org.springframework.security.access.PermissionEvaluator;
3333
import org.springframework.security.access.expression.AbstractSecurityExpressionHandler;
3434
import org.springframework.security.access.expression.SecurityExpressionHandler;
35+
import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
36+
import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl;
3537
import org.springframework.security.authentication.TestingAuthenticationToken;
3638
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
3739
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -68,6 +70,7 @@
6870
*
6971
* @author Rob Winch
7072
* @author Joe Grandja
73+
* @author Evgeniy Cheban
7174
*/
7275
public class WebSecurityConfigurationTests {
7376
@Rule
@@ -270,6 +273,31 @@ protected void configure(HttpSecurity http) throws Exception {
270273
}
271274
}
272275

276+
@Test
277+
public void securityExpressionHandlerWhenRoleHierarchyBeanThenRoleHierarchyUsed() {
278+
this.spring.register(WebSecurityExpressionHandlerRoleHierarchyBeanConfig.class).autowire();
279+
TestingAuthenticationToken authentication = new TestingAuthenticationToken("user", "notused", "ROLE_ADMIN");
280+
FilterInvocation invocation = new FilterInvocation(new MockHttpServletRequest("GET", ""),
281+
new MockHttpServletResponse(), new MockFilterChain());
282+
283+
AbstractSecurityExpressionHandler handler = this.spring.getContext().getBean(AbstractSecurityExpressionHandler.class);
284+
EvaluationContext evaluationContext = handler.createEvaluationContext(authentication, invocation);
285+
Expression expression = handler.getExpressionParser()
286+
.parseExpression("hasRole('ROLE_USER')");
287+
boolean granted = expression.getValue(evaluationContext, Boolean.class);
288+
assertThat(granted).isTrue();
289+
}
290+
291+
@EnableWebSecurity
292+
static class WebSecurityExpressionHandlerRoleHierarchyBeanConfig extends WebSecurityConfigurerAdapter {
293+
@Bean
294+
RoleHierarchy roleHierarchy() {
295+
RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl();
296+
roleHierarchy.setHierarchy("ROLE_ADMIN > ROLE_USER");
297+
return roleHierarchy;
298+
}
299+
}
300+
273301
@Test
274302
public void securityExpressionHandlerWhenPermissionEvaluatorBeanThenPermissionEvaluatorUsed() throws Exception {
275303
this.spring.register(WebSecurityExpressionHandlerPermissionEvaluatorBeanConfig.class).autowire();

0 commit comments

Comments
 (0)