0

I have a custom(synthetic) user role in my app to limit users activities. We use @Secured() and in many parts of our application with synthetic user roles.

The problem is I need to check a whether the logged in user has this synthetic role or not to perform some action. I tried using HttpServletRequest's isUserInRole(), but this method is returning true if the user role is checked with his original role and not true with synthetic/granted role. I also tried using RoleHierarchy.getReachableGrantedAuthorities() but my manager wants me to do it in higher level. The getAuthorities in SecurityContextHolder is also returning only the user's original role and not his granted roles.

security-context file contains

<bean id="roleHierarchy"
    class="org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl"
    xmlns="http://www.springframework.org/schema/beans">
    <property name="hierarchy">
        <value>             
            ROLE_SysAdmin > ROLE_UserPassowrdResetInfoManager
            ROLE_FacilityGroupAdmin > ROLE_UserPassowrdResetInfoManager            
        </value>
    </property>
</bean>

The ROLE_SysAdmin is the user's original role and ROLE_UserPassowrdResetInfoManager is the granted role. My question is similar to this one Spring Security: User Authorization in Java Class except I need to check for synthetic.granted role for a user. Thanks.

Community
  • 1
  • 1
harrsha
  • 13
  • 6
  • What you mean `user's original role`? – lschin Apr 02 '13 at 08:29
  • Like the role which comes from db/enum like SysAdmin or GroupAdmin.... The spring add ROLE_ as prefix to SysAdmin and the orle of the user stored in SecurityContextHolder is ROLE_SysAdmin – harrsha Apr 02 '13 at 08:38
  • 2
    So why can't you remove the prefix? Or don't use prefixes at all (they are only necessary if you are using a `RoleVoter`). – Shaun the Sheep Apr 02 '13 at 15:25

0 Answers0