Spring Security AclAuthorizationStrategyImpl should use RoleHierarchy

AclAuthorizationStrategyImpl does not check reachable granted authorities when checking principal's authorities to determine right

Spring Security has been configured using role hierarchies but Spring Security ACL does not consider this when evaluating a principals authorities to determine right.

Actual Behavior

From AclAuthorizationStrategyImpl .securityCheck(Acl, int) method:

// Iterate this principal's authorities to determine right
if (authentication.getAuthorities().contains(requiredAuthority)) {
    return;
}

Expected Behavior

The AclAuthorizationStrategyImpl .securityCheck(Acl, int) method should do something along the lines of:

    // Iterate this principal's authorities to determine right
    Collection<? extends GrantedAuthority> authorities = this.roleHierarchy
                    .getReachableGrantedAuthorities(authentication.getAuthorities());
    if (authorities.contains(requiredAuthority)) {
        return;
    }

Configuration

SpringACLConfig.java

...
@Bean
public AclAuthorizationStrategyImpl aclAuthorizationStrategy() {
    AclAuthorizationStrategyImpl aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(
            new SimpleGrantedAuthority("ROLE_ACL_OWNERSHIP_ADMIN"), // grant ACL authority to CHANGE_OWNERSHIP
            new SimpleGrantedAuthority("ROLE_ACL_AUDITING_ADMIN"),  // grant ACL authority to CHANGE_AUDITING
            new SimpleGrantedAuthority("ROLE_ACL_GENERAL_ADMIN"));  // grant ACL authority to CHANGE_GENERAL

        aclAuthorizationStrategy.setSidRetrievalStrategy(new SidRetrievalStrategyImpl(roleHierarchy()));

        return aclAuthorizationStrategy;
}

...

Version

Using io.spring.platform:platform-bom:Athens-SR1 & org.springframework.boot:spring-boot-gradle-plugin:1.4.2.RELEASE

Comment From: mkamalov

I recently encountered a bug and had to come up with a workaround to resolve the issue.

It is definitely a bug because Spring ACL supports role hierarchy for sidRetrievalStrategy in class AclAuthorizationStrategyImpl but absolutely ignores rohe hierarchy logic by using AuthorityUtils.authorityListToSet(authentication.getAuthorities()) method.

After 5 years it is still open but can be fixed in 1 day by allowing injecting RoleHierarchy into AclAuthorizationStrategyImpl. Is there a plan to fix this issue in the future?