Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Spring security, hierarchical roles syntax Grails 3 vs Grails 4 #730

Open
fjloma opened this issue Mar 17, 2022 · 2 comments
Open

Spring security, hierarchical roles syntax Grails 3 vs Grails 4 #730

fjloma opened this issue Mar 17, 2022 · 2 comments

Comments

@fjloma
Copy link

fjloma commented Mar 17, 2022

Expected Behavior

The role hierarchy relationship is specified by the ">" operator:

grails.plugin.springsecurity.roleHierarchy = '''
        ROLE_ADMIN>ROLE_USER
'''

This simple hierarchy is working on Grails 3. A user with ROLE_ADMIN rol, also have the ROLE_USER rol.

Actual Behaviour

This hiearchy specification is not working on Grails 4, and it is not giving any warning or error on application bootup.
A user with ROLE_ADMIN only has this role and it is not inheriting the ROLE_USER.

Steps To Reproduce

You can clone

If you want to generate the Grails 4 code, follow tutorial https://grails.github.io/grails-spring-security-core/4.0.x/index.html#tutorials until step 26.1.8.8

Change the SecureController class to print the user roles.

SecureController.groovy

package com.mycompany.myapp

import grails.plugin.springsecurity.annotation.Secured
import org.springframework.security.core.context.SecurityContextHolder

class SecureController {
   @Secured('ROLE_ADMIN')
   def index() {
      render 'Secure access only '+ SecurityContextHolder.getContext().getAuthentication().getAuthorities()
   }
}

Test fail

Add the following line to application.groovy a simple role hierarchy. Note there is no spaces arround the ">" symbol.

grails.plugin.springsecurity.roleHierarchy = '''
        ROLE_ADMIN>ROLE_USER
'''

Run the application (grails run-app) and go to http://localhost:8080/secure and log with me / password. It shows:

Secure access only [ROLE_ADMIN]

when te expected value should be

Secure access only [ROLE_USER, ROLE_ADMIN]

Test with spaces

Change the hierarchy configuration on application.groovy to have spaces arround the ">"

grails.plugin.springsecurity.roleHierarchy = '''
        ROLE_ADMIN > ROLE_USER
'''

Run the application (grails run-app) and go to http://localhost:8080/secure and log with me / password. Now it shows the correct values:

Secure access only [ROLE_USER, ROLE_ADMIN]

Environment Information

  • Operating System: Mac OS Monterrey 12.2.1 Apple M1 Max
  • Grails Version: 4.0.13
  • JVM Version: 1.8.0_312
  • Groovy 2.5.14

Example Application

https://github.com/fjloma/grails4-spring-security-test

Version

4.0.13

@puneetbehl
Copy link
Contributor

Thank you for reporting the issue. We are sorry that you are facing this issue. We will soon investigate that why it is broken and will update you.

@davebrown1975
Copy link

Any update yet on this issue? I'm facing something similar but not constantly reproducable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants