问题
I try to get role hierarchies to work in my application. The only thing I want is the defined hierarchy at all levels: At the url-level and for now also at the view level (in my jsp files).
I use the following setup:
<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<beans:property name="decisionVoters">
<beans:list>
<beans:ref bean="roleHierarchyVoter"/>
<beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter">
<beans:property name="expressionHandler">
<beans:bean class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
<beans:property name="roleHierarchy" ref="roleHierarchy"/>
</beans:bean>
</beans:property>
</beans:bean>
<beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
</beans:list>
</beans:property>
</beans:bean>
<beans:bean id="roleHierarchyVoter" class="org.springframework.security.access.vote.RoleHierarchyVoter">
<beans:constructor-arg ref="roleHierarchy"/>
</beans:bean>
<beans:bean id="roleHierarchy" class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl">
<beans:property name="hierarchy">
<beans:value>
ROLE_ADMIN > ROLE_OWNER
ROLE_OWNER > ROLE_DISTRIBUTOR
ROLE_DISTRIBUTOR > ROLE_RESELLER
ROLE_RESELLER > ROLE_USER
</beans:value>
</beans:property>
</beans:bean>
<http auto-config="true" use-expressions="true" access-decision-manager-ref="accessDecisionManager">
...
</http>
For the URL Level (intercept URLs) it works very good, but in my jsp files that did not work. The problem is I did not properly understood the config to get the role hierarchy to work.
<security:authorize access="hasRole('ROLE_ADMIN')">
<div class="span4">
<h2>Admin</h2>
</div><!--/span-->
</security:authorize>
<security:authorize access="hasRole('ROLE_OWNER')">
<div class="span4">
<h2>Owner</h2>
</div><!--/span-->
</security:authorize>
<security:authorize access="hasRole('ROLE_DISTRIBUTOR')">
<div class="span4">
<h2>Distributor</h2>
</div><!--/span-->
</security:authorize>
I use this simple example to test the role hierarchy at the view level, but it does not work. Only the user with the admin role can see his block but not the others.
Had some one an idea what I'm doing wrong with my config.
回答1:
I had the same issue (Spring Security 3.2.5).
Resolved by declaring my DefaultWebSecurityExpressionHandler before the <http> section
<!-- This must go before the http element in order to be used by security:authorize tags using the access attribute -->
<!-- https://jira.spring.io/browse/SEC-1452 -->
<beans:bean id="webSecurityExpressionHandler" class="org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler">
<beans:property name="roleHierarchy" ref="roleHierarchy" />
</beans:bean>
see https://jira.spring.io/browse/SEC-1452 and http://forum.spring.io/forum/spring-projects/security/67494-configuration-of-spring-security-3-0m1-expression-handler-bug/page3
来源:https://stackoverflow.com/questions/11431469/how-to-get-spring-security-role-hierarchy-in-jsp-to-work