SpringSecurity : Implement Role Hierarchy with In-Memory Authentication

Implement Role Hierarchy with In-Memory Authentication

In order to configure role hierarchy, you need to

  • make a bean RoleHierarchy
  • define a expressionhandler to read role hierarchy


  1. package com.ekiras.ss.config;  
  2.   
  3. import org.springframework.context.annotation.Bean;  
  4. import org.springframework.security.access.expression.SecurityExpressionHandler;  
  5. import org.springframework.security.access.hierarchicalroles.RoleHierarchy;  
  6. import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl;  
  7. import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;  
  8. import org.springframework.security.config.annotation.web.builders.HttpSecurity;  
  9. import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;  
  10. import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;  
  11. import org.springframework.security.web.FilterInvocation;  
  12. import org.springframework.security.web.access.expression.DefaultWebSecurityExpressionHandler;  
  13.   
  14. /** 
  15.  * @author ekansh 
  16.  * @since 30/3/16 
  17.  */  
  18. @EnableWebSecurity  
  19. public class SpringSecurityConfigurer extends WebSecurityConfigurerAdapter{  
  20.   
  21.     private SecurityExpressionHandler<FilterInvocation> webExpressionHandler() {  
  22.         DefaultWebSecurityExpressionHandler defaultWebSecurityExpressionHandler = new DefaultWebSecurityExpressionHandler();  
  23.         defaultWebSecurityExpressionHandler.setRoleHierarchy(roleHierarchy());  
  24.         return defaultWebSecurityExpressionHandler;  
  25.     }  
  26.   
  27.     @Bean  
  28.     public RoleHierarchy roleHierarchy(){  
  29.         RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl();  
  30.         roleHierarchy.setHierarchy("ADMIN > USER");  
  31.         return roleHierarchy;  
  32.     }  
  33.   
  34.     @Override  
  35.     protected void configure(AuthenticationManagerBuilder auth) throws Exception {  
  36.         auth.inMemoryAuthentication()  
  37.                 .withUser("ekansh")  
  38.                 .password("password")  
  39.                 .authorities("USER""ROLE");  
  40.         auth.inMemoryAuthentication()  
  41.                 .withUser("admin")  
  42.                 .password("admin")  
  43.                 .authorities("ADMIN");  
  44.     }  
  45.   
  46.     @Override  
  47.     protected void configure(HttpSecurity http) throws Exception {  
  48.         http  
  49.             .authorizeRequests()  
  50.                 .expressionHandler(webExpressionHandler())  
  51.                 .antMatchers("/admin/**").hasAuthority("ADMIN")  
  52.                 .antMatchers("/user/**").hasAuthority("USER")  
  53.                 .anyRequest().authenticated()  
  54.             .and()  
  55.             .formLogin()  
  56.             .and()  
  57.             .logout()  
  58.         ;  
  59.     }  
  60.       
  61. }  

In the example above, we have made a role hierarchy where

  • ADMIN can access MODERATOR and USER roles, 
  • MODERATOR can access USER roles. 
  • USER can neither access MODERATOR nor ADMIN roles.


@Bean
    public RoleHierarchy roleHierarchy(){
        RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl();
        roleHierarchy.setHierarchy("ADMIN > MODERATOR > USER");
        return roleHierarchy;
    }

This is an easy way to configure and manage roles and role permissions for making security groups.

No comments :

Post a Comment