Hierarchical Roles in the Grails Spring Security Plugin
I was looking at a non-Grails
Spring Security application that used hierarchical roles and wondered what it'd take to get this working with the Grails plugin. Turns out it's pretty simple.
Non-hierarchical roles are checked by a RoleVoter but to use hierarchical roles you need a RoleHierarchyVoter. Replacing the roleVoter bean in resources.groovy is all it takes.
RoleHierarchyVoter needs an implementation of RoleHierarchy and the default implementation in Spring Security is RoleHierarchyImpl which parses a String defining the hierarchy. For example, this configuration defines the hierarchy ROLE_SUPERADMIN > ROLE_ADMIN > ROLE_USER:
import org.springframework.security.vote.RoleHierarchyVoter
beans = {
roleHierarchy(RoleHierarchyImpl) {
hierarchy = '''
ROLE_SUPERADMIN > ROLE_ADMIN
ROLE_ADMIN > ROLE_USER
'''
}
roleVoter(RoleHierarchyVoter, ref('roleHierarchy'))
}
You can download a small demo app here that shows how it works. Unpack the app and run grails run-app, and then open http://localhost:8080/hierarchical/secure/. The app creates three users in BootStrap:
| Username | Password | Role |
|---|---|---|
| user | user | ROLE_USER |
| admin | admin | ROLE_ADMIN |
| superadmin | superadmin | ROLE_SUPERADMIN |
so you can login as each user to test the secured actions:
def index = {}
@Secured(['ROLE_USER'])
def user = {
...
}
@Secured(['ROLE_ADMIN'])
def admin = {
...
}
@Secured(['ROLE_SUPERADMIN'])
def superadmin = {
...
}
}
Logout in between by navigating to http://localhost:8080/hierarchical/logout. Although only one role is defined for each action, as the super admin you can access all three, as the admin you can access admin and user, and as the user you can only access user.
I'll make this part of the plugin at some point to make configuration simpler, but for now it's not much work to do it explicitly.
