Spring Security RoleHierarchy is not used by AbstractAuthorizeTag

Summary

I've noticed a strange behaviour when setting up a RoleHierarchy in a simple Spring Boot application, when trying to use it with org.springframework.security.taglibs.authz.AbstractAuthorizeTag

Actual Behavior

Effektively two DefaultWebSecurityExpressionHandler get created:

• https://github.com/spring-projects/spring-security/blob/ce79ef263493500cf6822d8ba605bfd02fc807b2/config/src/main/java/org/springframework/security/config/annotation/web/builders/WebSecurity.java#L98-L100
• https://github.com/spring-projects/spring-security/blob/ce79ef263493500cf6822d8ba605bfd02fc807b2/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java#L209-L231

The second one picks up my RoleHierarchy bean, but the first doesnt. org.springframework.security.taglibs.authz.AbstractAuthorizeTag#getExpressionHandler resolves the first handler, therefore the RoleHierarchy is ignored.

Expected Behavior

I'd expect AbstractAuthorizeTag to use my RoleHierarchy when resolving hasRole() expressions.

Configuration

@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
            .withUser("admin").password("{noop}admin").roles("admin").and()
            .withUser("user").password("{noop}user").roles("user");
    }

    @Bean
    public RoleHierarchy roleHierarchy() {
        RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl();
        roleHierarchy.setHierarchy("ROLE_admin > ROLE_user");
        return roleHierarchy;
    }
}

Version

Spring Security 5.2.0.M3

Sample

see #2997 see #4115 see https://github.com/spring-projects/spring-security/commit/8a66d0c78d9f51e2294229ff3c4038dfe5008c73#diff-23827daef0917bb5218098c8108b9125

Comment From: larsgrefer

After doing some more research, I think this issue is related to #5272

Comment From: rwinch

Thanks for the report @larsgrefer! Would you be willing to submit a PR for this?

Comment From: larsgrefer

I'm not sure how exactly this PR should look like.

Ideally there would be only one DefaultWebSecurityExpressionHandler instance which is used everywhere by default (instead of multiple instances whose default configuration needs to be kept in sync), but where should this instance be created and where should it be configured?

Comment From: rwinch

@larsgrefer I think we should start by fixing the immediate problem and updating the configuration to be kept in sync. This will be faster and less risky (which is desirable for a bug fix). We can explore using the same instance in a separate PR.

Comment From: evgeniycheban

@rwinch I can take this task.

Comment From: rwinch

Thank you @evgeniycheban The issue is yours