authorityHttpRequests picks up a RoleHierarchy bean. If method security does the same thing, then it will simplify security configuration overall.

Currently, method security role hierarchy must be configured for each authorization manager individually via DefaultMethodSecurityExpressionHandler for pre-post annotations, AuthoritiesAuthorizationManager for secured annotations, and via a custom authorization manager for JSR-250 annotations.

Comment From: kandaguru17

Happy to work on this :) @jzheaux

Have Some Queries here :

  1. In the issue description authorityHttpRequests picks up a RoleHierarchy bean., does this means AuthorizeHttpRequestsConfigurer uses the injected ApplicationContext to retrieve the RoleHierarchy bean?
  2. Enabling a similar behavior in DefaultMethodSecurityExpressionHandler and AuthoritiesAuthorizationManager would need us to inject the ApplicationContext in the constructor of both the classes, and is there any suggestion you have to handle the side effects of this as the default constructor is used in some places?
  3. would it make sense to create an inner static class that implements ApplicationContextAware to get a handle on ApplicationContext and retrieve the RoleHierarchy bean to tackle 2?

Please correct me if my understanding is not correct

Comment From: marcusdacoregio

Hi, @kandaguru17.

  1. Yes, at the time of configuration, AuthorizeHttpRequestsConfigurer retrieves the bean available in the ApplicationContext and set it into the classes that uses it.
  2. Take a look at @EnableMethodSecurity, the annotation imports MethodSecuritySelector which in turn apply some configuration classes, like PrePostMethodSecurityConfiguration, in order to configure the required beans for method security.
  3. I don't think so. Your changes will probably need to go into the configuration classes (PrePostMethodSecurityConfiguration, SecuredMethodSecurityConfiguration, Jsr250MethodSecurityConfiguration), using method injection to get the available RoleHierarchy

Comment From: wilx

This issue is linked from the docs at https://docs.spring.io/spring-security/reference/servlet/authorization/architecture.html#authz-hierarchical-roles with a note:

RoleHierarchy bean configuration is not yet ported over to @EnableMethodSecurity. As such this example is using AccessDecisionVoter. If you need RoleHierarchy support for method security, please continue using @EnableGlobalMethodSecurity until github.com/spring-projects/spring-security/issues/12783 is complete.

Is the note still valid?