Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RoleHierarchy not automatically inject in overwritten MethodSecurityExpressionHandler bean #16307

Open
plumarr opened this issue Dec 19, 2024 · 3 comments
Labels
in: config An issue in spring-security-config status: waiting-for-feedback We need additional information before we can continue

Comments

@plumarr
Copy link

plumarr commented Dec 19, 2024

If you manually define both a RoleHierarchy bean and a MethodSecurityExpressionHandler, the RoleHierarchy isn't injected in the MethodSecurityExpressionHandler bean. As a result, the role hierarchy isn't applied when calling hasRole() when securing a method with @PreAuthorize.

To Reproduce

  1. Define a RoleHierarchy bean
  2. Manually define the bean for the MethodSecurityExpressionHandler. For example, by inheriting DefaultMethodSecurityExpressionHandler.

Expected behavior
The RoleHierarchy bean is injected in the manually defined MethodSecurityExpressionHandler and can be used with @PreAuthorize and hasRole()

Current behavior
When you launch the application the following happens in order:

  1. PrePostMethodSecurityConfiguration initialize expressionHandler with a manually created DefaultMethodSecurityExpressionHandler
  2. The RoleHierarchy bean is injected in PrePostMethodSecurityConfiguration and expressionHandler.setRoleHierarchy is called
  3. The manually defined MethodSecurityExpressionHandler. bean is injected in PrePostMethodSecurityConfiguration and the configuration is adapted, but the method setRoleHierarchy isn't called on the new bean.
@plumarr plumarr added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Dec 19, 2024
@jzheaux
Copy link
Contributor

jzheaux commented Dec 19, 2024

Can you please post some code to help me see what code you'd expect to work?

@jzheaux jzheaux added status: waiting-for-feedback We need additional information before we can continue in: config An issue in spring-security-config and removed status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Dec 19, 2024
@kse-music
Copy link
Contributor

kse-music commented Dec 20, 2024

I think when provide custom MethodSecurityExpressionHandler bean and some other bean that include not only RoleHierarchy but also GrantedAuthorityDefaults, ApplicationContext, etc, we need to provide full function bean like this.

  @Bean
    MethodSecurityExpressionHandler customMethodSecurityExpressionHandler(RoleHierarchy roleHierarchy) {
        DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
        expressionHandler.setRoleHierarchy(roleHierarchy);
        expressionHandler.setDefaultRolePrefix("...");
	this.expressionHandler.setApplicationContext(context);
        return expressionHandler;
    }

Additionally, when both a custom MethodSecurityExpressionHandler and RoleHierarchy are provided, is it necessary to configure them within the framework? @jzheaux

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Dec 20, 2024
@jzheaux
Copy link
Contributor

jzheaux commented Dec 20, 2024

You are correct, @kse-music, this is covered in the reference specifically with respect to RoleHierarchy.

Since RoleHierarchy is used in multiple places, it should be published as a bean. This allows all Spring Security components to pick it up and then evaluate roles in the same way.

That said, I'd still like to give @plumarr the opportunity to respond in case I haven't correctly understood their question.

@jzheaux jzheaux added status: waiting-for-feedback We need additional information before we can continue and removed status: feedback-provided Feedback has been provided labels Dec 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: config An issue in spring-security-config status: waiting-for-feedback We need additional information before we can continue
Projects
None yet
Development

No branches or pull requests

4 participants