defining userroles with inheriting rights

Question

I'm currently looking into the spring-security framework - great stuff so far, pretty impressed. However, I haven't found out where or how to define a inheritance of permissions.

e.g. I want the ROLE_ADMIN to have at least the same rights as the ROLE_USER. I defined three intercep-urls for spring:

 <intercept-url pattern="/auth/login.do" access="permitAll"/>
 <intercept-url pattern="/voting/*" access="hasRole('ROLE_USER')"/>
 <intercept-url pattern="/admin/*" access="hasRole('ROLE_ADMIN')"/>

When trying to access any site nesting from /voting/, while being logged in as a ROLE_ADMIN user, I am being denied. Am I missing something here? I know, I could define several roles for the /voting/* branch, but if I imagine that I might have 10 different user roles in one of my real-life usecases, I can imagine the .xml file to get really messy, really fast.

Can I configure the inheritance of roles somewhere?

cheers

EDIT:

Thanks to the great community and their input, I came up with a working solution - it may be good style or not - it works :D

I defined an enum which reflects the inheriting spring-sec roles:

public enum UserRoles {
     ROLE_USER(new String[]{"ROLE_USER"}),
     ROLE_ADMIN(new String[]{"ROLE_USER", "ROLE_ADMIN"});
     private final String[] roles;

     private UserRoles(String[] roles) {
          this.roles = roles;
     }

     public String[] getRoles() {
          return roles;
     }
}

I then implemented my own UserDetailsService:

Within the methode

@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException { ... }

where it comes to adding granted authorities to a UserDetail, I get the corresponding enum value and append all the roles defined by this enum value:

        List<GrantedAuthority> authList = new ArrayList<GrantedAuthority>(2);
        for (String role : UserRoles.ROLE_ADMIN.getRoles()) {
            authList.add(new GrantedAuthorityImpl(role));
        }
        UserDetails user = null;
        try {
            //user = new User(username, md5.hashPassword(username), true, true, true, true, authList);
        } catch (NoSuchAlgorithmException ex) {
            logger.error(ex.getMessage(), ex);
        }

My domain object which is persisted, contains a @Enumerated field with a UserRole - in a real environment, this field is loaded from the DB and the corresponding Roles are picked from that enum.

thanks again for the input - love this community ^^

Answer 1

Check out RoleHierarchy and RoleHierarchyImpl and this question.

Answer 2

As far as I know, Spring Security does not support the concept of Roles and Privileges. In Spring security are only Roles sometimes called Authority -- Moreover: In Spring Security are Roles/Authorities that what in a Roles and Privileges System is called Privileges.

---

So if you want to build a System of Roles and Privileges, then you need to do it by your one by building your own Spring Security AuthenticationManager, and tread the Spring Security Roles/Authorities like Privileges.

@See This Blog: Spring Security customization (Part 1 – Customizing UserDetails or extending GrantedAuthority) -- It is written for Spring Security 2.0 and shows how to implement what I am talking about. It also stayes that RoleHierarchy has some drawbacks, but this article is about 2.0, may the drawbacks are gone in 3.0