Home/ Questions/Q 8059583
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-05T09:43:00+00:00

I am using the springsecurity plugin in Grails 2.0.1. My role hierarchy and other

  • 0

I am using the springsecurity plugin in Grails 2.0.1. My role hierarchy and other s2 properties are shown below. 

grails.plugins.springsecurity.userLookup.userDomainClassName = 'myApp.security.User'
grails.plugins.springsecurity.userLookup.authorityJoinClassName = 'myApp.security.UserRole'
grails.plugins.springsecurity.authority.className = 'myApp.security.Role'
grails.plugins.springsecurity.successHandler.defaultTargetUrl="/index"
grails.plugins.springsecurity.securityConfigType = "Annotation"

//grails.plugins.springsecurity.rejectIfNoRule = true
grails.plugins.springsecurity.roleHierarchy = '''
    ROLE_ADMIN > ROLE_OWNER_TRANSFER_PRIVILEGE
    ROLE_OWNER_TRANSFER_PRIVILEGE > ROLE_OWNER
    ROLE_OWNER > ROLE_USER_WRITE
'''

As per the documentation, if my @secured annotation allows ROLE_USER_WRITE, then all other roles need to be allowed access as well. Similarly, if I were to use a tag, then ROLE_OWNER, ROLE_OWNER_TRANSFER_PRIVILEGE and ROLE_ADMIN must equate to true. But, this doesn’t work, instead I am forced to list each role. I checked the debug logs and it looks like this

2012-06-01 09:28:14,802 [pool-5-thread-1] DEBUG hierarchicalroles.RoleHierarchyImpl  - setHierarchy() - The following role hierarchy was set: 
        ROLE_ADMIN > ROLE_OWNER_TRANSFER_PRIVILEGE
        ROLE_OWNER_TRANSFER_PRIVILEGE > ROLE_OWNER
        ROLE_OWNER > ROLE_USER_WRITE

2012-06-01 09:28:14,802 [pool-5-thread-1] DEBUG hierarchicalroles.RoleHierarchyImpl  - buildRolesReachableInOneStepMap() - From role ROLE_ADMIN one can reach r
ole ROLE_OWNER_TRANSFER_PRIVILEGE in one step.
2012-06-01 09:28:14,802 [pool-5-thread-1] DEBUG hierarchicalroles.RoleHierarchyImpl  - buildRolesReachableInOneStepMap() - From role ROLE_OWNER_TRANSFER_PRIVIL
EGE one can reach role ROLE_OWNER in one step.
2012-06-01 09:28:14,802 [pool-5-thread-1] DEBUG hierarchicalroles.RoleHierarchyImpl  - buildRolesReachableInOneStepMap() - From role ROLE_OWNER one can reach r
ole ROLE_USER_WRITE in one step.
2012-06-01 09:28:14,803 [pool-5-thread-1] DEBUG hierarchicalroles.RoleHierarchyImpl  - buildRolesReachableInOneOrMoreStepsMap() - From role ROLE_ADMIN one can 
reach [ROLE_OWNER_TRANSFER_PRIVILEGE, ROLE_USER_WRITE, ROLE_OWNER] in one or more steps.
...

It seems like the role hierarchies are being created, but they are not enforced while the application is running. What am I doing wrong and how do I get this to work as per the documentation?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    roleHierarchies need to have a complete tree structure to work. In my question I represented half the hierarchy, it turned out be an incomplete tree representation. Something like :

    ROLE_ADMIN > ROLE_OWNER_TRANSFER_PRIVILEGE
ROLE_OWNER_TRANSFER_PRIVILEGE > ROLE_OWNER
ROLE_OWNER > ROLE_USER_WRITE
ROLE_USER > ROLE_READ

    Here the ROLE_USER and ROLE_USER_WRITE are disconnected subtrees of hierarchies and spring security wasn’t, understandably, able to resolve this while resolving permissions.

    • 0