3

how i can check if a user has a hierarchical role at runtime ? I know this solution for the url authorization @PreAuthorize("hasRole('ROLE_ADMIN')") but inside a method if i have to check the role ?

For example:

ROLE_ADMIN > ROLE_USER > ROLE_GUEST

if (user.hasRole('ROLE_USER')){
    do something;
}

In this example the condition must to be true if the user has the ROLE_ADMIN because in hierarchical roles ROLE_ADMIN > ROLE_USER.

Thanks

Alberto Costa
  • 127
  • 1
  • 6
  • I don't would write this code: if (user.hasRole('ROLE_USER') || user.hasRole('ROLE_ADMIN')){ do something }, but only if (user.hasRole('ROLE_USER')), only the lowest role – Alberto Costa May 30 '17 at 14:15
  • You don't have to, if your user has ROLE_ADMIN as well as ROLE_USER – N4zroth May 30 '17 at 14:17
  • Why do you need the check inside a method? Why not use the `@PreAuthorize` (which as you seem to think has nothing to do with URL based security). – M. Deinum May 30 '17 at 14:56

1 Answers1

2

Thanks all for your replies. Maybe i found a solution. I created a custom hierarchical role system with this @Configuration:

    @Bean
    public RoleHierarchy roleHierarchy(){
        RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl();
        roleHierarchy.setHierarchy("ROLE_SUPERADMIN > ROLE_ADMIN ROLE_ADMIN > ROLE_USER ROLE_USER > ROLE_GUEST");
        return roleHierarchy;
    }

    @Bean
    public RoleHierarchyVoter roleVoter() {     
        return new RoleHierarchyVoter(roleHierarchy());
    }

    @Bean 
    public DefaultWebSecurityExpressionHandler expressionHandler(){
        DefaultWebSecurityExpressionHandler expressionHandler = new DefaultWebSecurityExpressionHandler();
        expressionHandler.setRoleHierarchy(roleHierarchy());
        return expressionHandler;
    }

After that i created an help function:

public static boolean hasHierarchyRole(String role, RoleHierarchy roleHierarchy) {

        Collection<? extends GrantedAuthority> authorities = SecurityContextHolder.getContext().getAuthentication().getAuthorities();

        Collection<? extends GrantedAuthority> hierarchyAuthorities = roleHierarchy.getReachableGrantedAuthorities(authorities);

        for (GrantedAuthority authority : hierarchyAuthorities) {
            if (authority.getAuthority().equals(role)) {
                return true;
            }
        }

        return false;
    }

and seems to work.

Alberto Costa
  • 127
  • 1
  • 6
  • Thanks, mate. I was looking for something like this. A shame that there is no "built-in" method in Spring Boot to use (additionally to the @PreAuthorize annotation) for a more fine-grained role check. – Deewens Jun 28 '22 at 11:34