Spring Security AuthorityAuthorizationManager never using defined role hierarchy

Describe the bug Defined role hierarchy is not picked up by AuthorityAuthorizationManager.

• Role hierarchy: ROLE_SUPERUSER > ROLE_USER
• endpoint GET /greet is authorized to role USER
• User user is configured as SUPERUSER. According to defined role hierarchy, access to resource should be granted.

After debugging I found that AuthorityAuthorizationManager is always using NullRoleHierarchy. This setter is never being assigned to the one I created.

Env: spring boot 3.0.0 / spring security 6.0.0 Context: Upgrading from spring boot 2.7.x to spring boot 3.0.0

To Reproduce 1. Start the example 2. Go to localhost:8080/greet 3. log in should be shown user: user password: pass 5. response code is 403, forbidden.

Expected behavior Should return "hello world" string

Sample

Example project.

Comment From: davidvelasco-lk

I found this way to enable role hierarchies. Is this the expected way to do it?

  @Bean
  public SecurityFilterChain configure(
      HttpSecurity http,
      RequestHeaderAuthenticationFilter headerAuthenticationFilter) throws Exception {

    var auth1 = AuthorityAuthorizationManager.<RequestAuthorizationContext>hasRole("USER");
    auth1.setRoleHierarchy(roleHierarchy());

    http
        .authorizeHttpRequests(auth -> auth
          .requestMatchers(HttpMethod.GET).access(auth1)
        );
    return http.build();
  }

 @Bean
  public RoleHierarchy roleHierarchy() {
    RoleHierarchyImpl r = new RoleHierarchyImpl();
    r.setHierarchy("ROLE_SUPERUSER > ROLE_USER");
    return r;
  }

Comment From: jzheaux

Thanks for reaching out, @davidvelasco-lk. This is what is supported at this point, yes.

It would be nice if AuthorizeHttpRequestsConfigurer.AuthorizeUrl#hasRole and other related methods looked for the RoleHierarchy bean and called AuthorityAuthorizationManager's setter. Are you able to submit a PR that adds this functionality?

Comment From: evgeniycheban

Hi, @jzheaux I should've added this functionality in gh-12231, but I didn't take into account such use case, I'm going to add this in a new PR, so the user will be able to define RoleHierarchy as a @Bean and it will be determined by the AuthorizeHttpRequestsConfigurer and set to the AuthorityAuthorizationManager using its setter.

Comment From: helloKeyur

@davidvelasco-lk & @jzheaux to authorized if we want enable method level security. and secure endpoints with annotation in controller level not in SpringSecurityConfig Class level then how we can configure that? in Spring Boot 3 & spring security 6.