Home/ Questions/Q 6005599
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T01:25:12+00:00

I’m currently looking into the spring-security framework – great stuff so far, pretty impressed.

  • 0

I’m currently looking into the spring-security framework – great stuff so far, pretty impressed.
However, I haven’t found out where or how to define a inheritance of permissions.

e.g. I want the ROLE_ADMIN to have at least the same rights as the ROLE_USER. I defined three intercep-urls for spring:

 <intercept-url pattern="/auth/login.do" access="permitAll"/>
 <intercept-url pattern="/voting/*" access="hasRole('ROLE_USER')"/>
 <intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN')"/>

When trying to access any site nesting from /voting/, while being logged in as a ROLE_ADMIN user, I am being denied. Am I missing something here? I know, I could define several roles for the /voting/* branch, but if I imagine that I might have 10 different user roles in one of my real-life usecases, I can imagine the .xml file to get really messy, really fast.

Can I configure the inheritance of roles somewhere?

cheers

EDIT:

Thanks to the great community and their input, I came up with a working solution – it may be good style or not – it works 😀

I defined an enum which reflects the inheriting spring-sec roles:

public enum UserRoles {
     ROLE_USER(new String[]{"ROLE_USER"}),
     ROLE_ADMIN(new String[]{"ROLE_USER", "ROLE_ADMIN"});
     private final String[] roles;

     private UserRoles(String[] roles) {
          this.roles = roles;
     }

     public String[] getRoles() {
          return roles;
     }
}

I then implemented my own UserDetailsService:

Within the methode

@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException { ... }

where it comes to adding granted authorities to a UserDetail, I get the corresponding enum value and append all the roles defined by this enum value:

        List<GrantedAuthority> authList = new ArrayList<GrantedAuthority>(2);
        for (String role : UserRoles.ROLE_ADMIN.getRoles()) {
            authList.add(new GrantedAuthorityImpl(role));
        }
        UserDetails user = null;
        try {
            //user = new User(username, md5.hashPassword(username), true, true, true, true, authList);
        } catch (NoSuchAlgorithmException ex) {
            logger.error(ex.getMessage(), ex);
        }

My domain object which is persisted, contains a @Enumerated field with a UserRole – in a real environment, this field is loaded from the DB and the corresponding Roles are picked from that enum.

thanks again for the input – love this community ^^

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    As far as I know, Spring Security does not support the concept of Roles and Privileges. In Spring security are only Roles sometimes called Authority — Moreover: In Spring Security are Roles/Authorities that what in a Roles and Privileges System is called Privileges.

    So if you want to build a System of Roles and Privileges, then you need to do it by your one by building your own Spring Security AuthenticationManager, and tread the Spring Security Roles/Authorities like Privileges.

    @See This Blog: Spring Security customization (Part 1 – Customizing UserDetails or extending GrantedAuthority) — It is written for Spring Security 2.0 and shows how to implement what I am talking about. It also stayes that RoleHierarchy has some drawbacks, but this article is about 2.0, may the drawbacks are gone in 3.0

    • 0