Hierarchical Roles in the Grails Spring Security Plugin

Update: This is a feature in the Spring Security Core plugin – see section “14 Hierarchical Roles” in the docs.

I was looking at a non-Grails Spring Security application that used hierarchical roles and wondered what it’d take to get this working with the Grails plugin. Turns out it’s pretty simple.

Non-hierarchical roles are checked by a RoleVoter but to use hierarchical roles you need a RoleHierarchyVoter. Replacing the roleVoter bean in resources.groovy is all it takes.

RoleHierarchyVoter needs an implementation of RoleHierarchy and the default implementation in Spring Security is RoleHierarchyImpl which parses a String defining the hierarchy. For example, this configuration defines the hierarchy ROLE_SUPERADMIN > ROLE_ADMIN > ROLE_USER:

import org.springframework.security.userdetails.hierarchicalroles.RoleHierarchyImpl
import org.springframework.security.vote.RoleHierarchyVoter

beans = {

   roleHierarchy(RoleHierarchyImpl) {
      hierarchy = '''
         ROLE_SUPERADMIN  > ROLE_ADMIN
         ROLE_ADMIN  > ROLE_USER
      '''
   }

   roleVoter(RoleHierarchyVoter, ref('roleHierarchy'))
}

You can download a small demo app here that shows how it works. Unpack the app and run grails run-app, and then open http://localhost:8080/hierarchical/secure/. The app creates three users in BootStrap:

Username Password Role
user user ROLE_USER
admin admin ROLE_ADMIN
superadmin superadmin ROLE_SUPERADMIN

so you can login as each user to test the secured actions:

class SecureController {

   def index = {}

   @Secured(['ROLE_USER'])
   def user = {
   ...
   }

   @Secured(['ROLE_ADMIN'])
   def admin = {
   ...
   }

   @Secured(['ROLE_SUPERADMIN'])
   def superadmin = {
   ...
   }
}

Logout in between by navigating to http://localhost:8080/hierarchical/logout. Although only one role is defined for each action, as the super admin you can access all three, as the admin you can access admin and user, and as the user you can only access user.

I’ll make this part of the plugin at some point to make configuration simpler, but for now it’s not much work to do it explicitly.

This entry was posted on Monday, December 21st, 2009 at 9:41pm and is filed under grails, grailsplugin, java, security. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

4 Responses to “Hierarchical Roles in the Grails Spring Security Plugin”

  1. Lyle H Janney says:
    December 28, 2010 at 8:51 am

    Thanks to this article and the docs, I have hierarchical roles working as expected. Please forgive this loosely related question, but is there a solution for using the same spring security domain across multiple grails applications that all use the same database? The issue is that the RequestMap object is not application aware — I can go through the exercise to make it so, but I’d like to avoid mucking with your plugin if at all possible.

  2. grailstutorial.org says:
    January 16, 2011 at 10:11 pm

    Hierarchical Roles in the Grails Spring Security Plugin…

    I was looking at a non-Grails Spring Security application that used hierarchical roles and wondered what it’d take to get this working with the Grails plugin. Turns out it’s pretty simple. Non-hierarchical roles are checked by a RoleVoter but to use …

  3. Bob Rodini says:
    November 10, 2011 at 11:53 am

    What can the “tree” of role hierarhies look like? All the examples are strictly linear. What about:

    SUPER_ADMIN > ADMIN_FOR_AREA1, ADMIN_FOR_AREA2, …

    Can this be expressed? How?

« Clustering Grails
ACLs in the Grails Spring Security Plugin »
Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 License.