Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AclAuthorizationStrategyImpl should use RoleHierarchy #4186

Closed
VaughanN opened this issue Jan 6, 2017 · 1 comment
Closed

AclAuthorizationStrategyImpl should use RoleHierarchy #4186

VaughanN opened this issue Jan 6, 2017 · 1 comment
Assignees
@marcusdacoregio
Labels
in: acl An issue in spring-security-acl type: enhancement A general enhancement
Milestone
6.4.0-M1

Comments

@VaughanN
Copy link

VaughanN commented Jan 6, 2017
edited
Loading

AclAuthorizationStrategyImpl does not check reachable granted authorities when checking principal's authorities to determine right

Spring Security has been configured using role hierarchies but Spring Security ACL does not consider this when evaluating a principals authorities to determine right.

Actual Behavior

From AclAuthorizationStrategyImpl .securityCheck(Acl, int) method:

// Iterate this principal's authorities to determine right
if (authentication.getAuthorities().contains(requiredAuthority)) {
	return;
}

Expected Behavior

The AclAuthorizationStrategyImpl .securityCheck(Acl, int) method should do something along the lines of:

    // Iterate this principal's authorities to determine right
    Collection<? extends GrantedAuthority> authorities = this.roleHierarchy
                    .getReachableGrantedAuthorities(authentication.getAuthorities());
    if (authorities.contains(requiredAuthority)) {
        return;
    }

Configuration

SpringACLConfig.java

...
@Bean
public AclAuthorizationStrategyImpl aclAuthorizationStrategy() {
	AclAuthorizationStrategyImpl aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(
            new SimpleGrantedAuthority("ROLE_ACL_OWNERSHIP_ADMIN"), // grant ACL authority to CHANGE_OWNERSHIP
            new SimpleGrantedAuthority("ROLE_ACL_AUDITING_ADMIN"),  // grant ACL authority to CHANGE_AUDITING
            new SimpleGrantedAuthority("ROLE_ACL_GENERAL_ADMIN"));  // grant ACL authority to CHANGE_GENERAL

    	aclAuthorizationStrategy.setSidRetrievalStrategy(new SidRetrievalStrategyImpl(roleHierarchy()));

    	return aclAuthorizationStrategy;
}

...

Version

Using io.spring.platform:platform-bom:Athens-SR1 & org.springframework.boot:spring-boot-gradle-plugin:1.4.2.RELEASE
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 7, 2019
@mkamalov
Copy link

I recently encountered a bug and had to come up with a workaround to resolve the issue.

It is definitely a bug because Spring ACL supports role hierarchy for sidRetrievalStrategy in class AclAuthorizationStrategyImpl but absolutely ignores rohe hierarchy logic by using AuthorityUtils.authorityListToSet(authentication.getAuthorities()) method.

After 5 years it is still open but can be fixed in 1 day by allowing injecting RoleHierarchy into AclAuthorizationStrategyImpl.
Is there a plan to fix this issue in the future?

@marcusdacoregio marcusdacoregio self-assigned this May 23, 2024
@marcusdacoregio marcusdacoregio added in: acl An issue in spring-security-acl type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels May 23, 2024
@marcusdacoregio marcusdacoregio added this to the 6.4.0-M1 milestone May 23, 2024
@marcusdacoregio marcusdacoregio changed the title AclAuthorizationStrategyImpl does not check reachable granted authorities when checking principal's authorities to determine right AclAuthorizationStrategyImpl should use RoleHierarchy May 23, 2024
marcusdacoregio added a commit to marcusdacoregio/spring-security that referenced this issue May 23, 2024
@marcusdacoregio
Support RoleHierarchy in AclAuthorizationStrategyImpl
0f1fb56 
Closes spring-projectsgh-4186
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusdacoregio marcusdacoregio

Labels
in: acl An issue in spring-security-acl type: enhancement A general enhancement
Projects
Spring Security Team
Status: No status
Milestone
6.4.0-M1
Development

No branches or pull requests
4 participants
@mkamalov @marcusdacoregio @spring-projects-issues @VaughanN