Apparently spring security supports two concepts when working with hierarchical roles:
- Resolving the effective roles at authentication time through a
RoleHierarchyAuthoritiesMapper - Resolving the roles at every request trough a
RoleHierachyVoter
The current reference documentation only mentions the latter option.
Comment From: jzheaux
Thanks for reaching out, @larsgrefer. Would you be able to submit a PR to add the missing documentation?
Comment From: larsgrefer
Which branch should this PR target?
I'm also not sure, where exactly this should be documented.
It's currently under Servlet Applications, but the RoleHierarchyAuthoritiesMapper is also supported by some ReactiveAuthenticationManagers (namely OAuth2 and Oidc)
Comment From: jzheaux
master is just fine - I'll take care of backporting it to earlier branches.
I'd place it at the end of the Hierarchical Roles section. I believe it makes sense to add this information after the voter information since a GrantedAuthoritiesMapper isn't recognized by all authentication mechanisms.
I'd also try and add an internal link in the OAuth 2.0 Login and SAML 2.0 Login sections back to that new material. There might not be a smooth way to do that without going off-topic in those sections, but I believe it's worth a look.