Spring Security Incomplete documentation regarding Hierarchical roles.

On the current 6.0.2 official documentation we have this small sample code related to hierarchical roles:

@Bean
AccessDecisionVoter hierarchyVoter() {
    RoleHierarchy hierarchy = new RoleHierarchyImpl();
    hierarchy.setHierarchy("ROLE_ADMIN > ROLE_STAFF\n" +
            "ROLE_STAFF > ROLE_USER\n" +
            "ROLE_USER > ROLE_GUEST");
    return new RoleHierarchyVoter(hierarchy);
}

This code is using deprecated classes and it is not providing any sample that can be used in the current spring version.

Comment From: jzheaux

Thanks for the report, @istoony. RoleHierarchy bean configuration is not fully ported over as of 6.0.x. As such, I think what should be done here is add a note about that in the documentation and then update it once completed. I've also added #12783 detailing what needs to be done to support RoleHierarchy bean configuration.

In the meantime, to configure RoleHierarchy for pre-post method security, use DefaultMethodSecurityExpressionHandler:

@Bean 
static RoleHierarchy roleHierarchy() {
    RoleHierarchy hierarchy = new RoleHierarchyImpl();
    hierarchy.setHierarchy("ROLE_ADMIN > ROLE_STAFF\n" +
            "ROLE_STAFF > ROLE_USER\n" +
            "ROLE_USER > ROLE_GUEST");
    return new RoleHierarchyVoter(hierarchy);
}

@Bean
static DefaultMethodSecurityExpressionHandler methodSecurityExpressionHandler(RoleHierarchy roleHierarchy) {
    DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
    expressionHandler.setRoleHierarchy(roleHierarchy);
    return expressionHandler;
}

And to configure it for filter security, use the access(AuthorizationManager) method instead of hasRole, like so:

AuthorityAuthorizationManager<RequestAuthorizationContext> hasRoleUser =
    AuthorityAuthorizationManager.hasRole("USER");
hasRoleUser.setRoleHierarchy(roleHierarchy);

http
    .authorizeHttpRequests((authorize) -> authorize
        .requestMatchers("/needs/user/**").access(hasRoleUser)
        .anyRequest().authenticated()
    )
    // ...

Comment From: super-iterator

@jzheaux Thanks for your contribution!

I tried the RoleHierarchy mentioned above, but it seems like there is an issue with it:

java: incompatible types: org.springframework.security.access.vote.RoleHierarchyVoter cannot be converted to org.springframework.security.access.hierarchicalroles.RoleHierarchy.

Casting the return type to RoleHierarchy produces other issues since they are incompatible.

I wonder, how did you manage to make it work?