I am using role hierarchy in Spring Security.
ROLE_USER > ROLE_GUEST I am securing methods using protect-pointcut
However, I got AccessDeniedException if I login with user that has authority ROLE_USER. I have no issue if I specified protect-pointcut with access="ROLE_GUEST,ROLE_USER".
Am I missing some steps? FYI, I am using Spring 3.0.5.
Thanks.
Have a look at bug report SEC-1163 and the comment below.
If you want basic support for role hierarchies, then use a RoleHierarchyVoter, instead of a RoleVoter.
So you need somethink like:
Don't forget to add a WebExpressionVoter to be able to also use expressions in http element:
So I end up with an accessDecisionManager containing a role hierarchy voter and a WebExpressionVoter, both using the same roleHierarchyImpl bean.
ROLE_SUPERVISOR > ROLE_XX ROLE_XX > ROLE_AUTHENTICATED ROLE_AUTHENTICATED > ROLE_UNAUTHENTICATED (spring sec 3.1)
The nested beans are slightly wrong in jgraglia example above, and you don't need because the hierarchy is handled in WebExpressionVoter. I'm doing this in Spring Security 4.0.0, but the code looks the same except you don't need use-expressions="true" because it's on by default.
I usually try and nest my beans as much as possible, so my code has no ref="" values unless required.
ROLE_ADMIN > ROLE_USER ROLE_USER > ROLE_ANONYMOUS