RoleHierarchy is not used by AbstractAuthorizeTag

[larsgrefer]

Summary

I've noticed a strange behaviour when setting up a RoleHierarchy in a simple Spring Boot application, when trying to use it with org.springframework.security.taglibs.authz.AbstractAuthorizeTag

Actual Behavior

Effektively two DefaultWebSecurityExpressionHandler get created:

• spring-security/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java

  Lines 98 to 100 in ce79ef2

  	private DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();
  	private SecurityExpressionHandler<FilterInvocation> expressionHandler = defaultWebSecurityExpressionHandler;

• spring-security/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java

  Lines 209 to 231 in ce79ef2

  	DefaultWebSecurityExpressionHandler defaultHandler = new DefaultWebSecurityExpressionHandler();
  	AuthenticationTrustResolver trustResolver = http
  	.getSharedObject(AuthenticationTrustResolver.class);
  	if (trustResolver != null) {
  	defaultHandler.setTrustResolver(trustResolver);
  	}
  	ApplicationContext context = http.getSharedObject(ApplicationContext.class);
  	if (context != null) {
  	String[] roleHiearchyBeanNames = context.getBeanNamesForType(RoleHierarchy.class);
  	if (roleHiearchyBeanNames.length == 1) {
  	defaultHandler.setRoleHierarchy(context.getBean(roleHiearchyBeanNames[0], RoleHierarchy.class));
  	}
  	String[] grantedAuthorityDefaultsBeanNames = context.getBeanNamesForType(GrantedAuthorityDefaults.class);
  	if (grantedAuthorityDefaultsBeanNames.length == 1) {
  	GrantedAuthorityDefaults grantedAuthorityDefaults = context.getBean(grantedAuthorityDefaultsBeanNames[0], GrantedAuthorityDefaults.class);
  	defaultHandler.setDefaultRolePrefix(grantedAuthorityDefaults.getRolePrefix());
  	}
  	String[] permissionEvaluatorBeanNames = context.getBeanNamesForType(PermissionEvaluator.class);
  	if (permissionEvaluatorBeanNames.length == 1) {
  	PermissionEvaluator permissionEvaluator = context.getBean(permissionEvaluatorBeanNames[0], PermissionEvaluator.class);
  	defaultHandler.setPermissionEvaluator(permissionEvaluator);
  	}
  	}

The second one picks up my RoleHierarchy bean, but the first doesnt.
org.springframework.security.taglibs.authz.AbstractAuthorizeTag#getExpressionHandler resolves the first handler, therefore the RoleHierarchy is ignored.

Expected Behavior

I'd expect AbstractAuthorizeTag to use my RoleHierarchy when resolving hasRole() expressions.

Configuration

@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

	@Override
	protected void configure(AuthenticationManagerBuilder auth) throws Exception {
		auth.inMemoryAuthentication()
			.withUser("admin").password("{noop}admin").roles("admin").and()
			.withUser("user").password("{noop}user").roles("user");
	}

	@Bean
	public RoleHierarchy roleHierarchy() {
		RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl();
		roleHierarchy.setHierarchy("ROLE_admin > ROLE_user");
		return roleHierarchy;
	}
}

Version

Spring Security 5.2.0.M3

Sample

see #2997
see #4115
see 8a66d0c#diff-23827daef0917bb5218098c8108b9125

[larsgrefer]

After doing some more research, I think this issue is related to #5272

[rwinch]

Thanks for the report @larsgrefer! Would you be willing to submit a PR for this?

[larsgrefer]

I'm not sure how exactly this PR should look like.

Ideally there would be only one DefaultWebSecurityExpressionHandler instance which is used everywhere by default (instead of multiple instances whose default configuration needs to be kept in sync), but where should this instance be created and where should it be configured?

[rwinch]

@larsgrefer I think we should start by fixing the immediate problem and updating the configuration to be kept in sync. This will be faster and less risky (which is desirable for a bug fix). We can explore using the same instance in a separate PR.

[evgeniycheban]

@rwinch I can take this task.

[rwinch]

Thank you @evgeniycheban The issue is yours