org.springframework.security.userdetails.hierarchicalroles
Class RoleHierarchyImpl

java.lang.Object
  org.springframework.security.userdetails.hierarchicalroles.RoleHierarchyImpl

All Implemented Interfaces:

RoleHierarchy

public class RoleHierarchyImpl
extends Object
implements RoleHierarchy

This class defines a role hierarchy for use with the UserDetailsServiceWrapper.

Here is an example configuration of a role hierarchy (hint: read the ">" sign as "includes"):

        <property name="hierarchy">
            <value>
                ROLE_A > ROLE_B
                ROLE_B > ROLE_AUTHENTICATED
                ROLE_AUTHENTICATED > ROLE_UNAUTHENTICATED
            </value>
        </property>

Explanation of the above:
In effect every user with ROLE_A also has ROLE_B, ROLE_AUTHENTICATED and ROLE_UNAUTHENTICATED;
every user with ROLE_B also has ROLE_AUTHENTICATED and ROLE_UNAUTHENTICATED;
every user with ROLE_AUTHENTICATED also has ROLE_UNAUTHENTICATED.

Hierarchical Roles will dramatically shorten your access rules (and also make the access rules much more elegant).

Consider this access rule for Spring Security's RoleVoter (background: every user that is authenticated should be able to log out):
/logout.html=ROLE_A,ROLE_B,ROLE_AUTHENTICATED
With hierarchical roles this can now be shortened to:
/logout.html=ROLE_AUTHENTICATED
In addition to shorter rules this will also make your access rules more readable and your intentions clearer.

Author:

Michael Mayr

Constructor Summary

RoleHierarchyImpl()

Method Summary

GrantedAuthority[]

getReachableGrantedAuthorities(GrantedAuthority[] authorities) This method returns an array of all reachable authorities. Reachable authorities are the directly assigned authorities plus all authorities that are (transitively) reachable from them in the role hierarchy. Example: Role hierarchy: ROLE_A > ROLE_B and ROLE_B > ROLE_C. Directly assigned authority: ROLE_A. Reachable authorities: ROLE_A, ROLE_B, ROLE_C.

void

setHierarchy(String roleHierarchyStringRepresentation) Set the role hierarchy and precalculate for every role the set of all reachable roles, i.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

RoleHierarchyImpl

public RoleHierarchyImpl()

Method Detail

setHierarchy

public void setHierarchy(String roleHierarchyStringRepresentation)

Set the role hierarchy and precalculate for every role the set of all reachable roles, i. e. all roles lower in the hierarchy of every given role. Precalculation is done for performance reasons (reachable roles can then be calculated in O(1) time). During precalculation cycles in role hierarchy are detected and will cause a CycleInRoleHierarchyException to be thrown.

Parameters:

roleHierarchyStringRepresentation - - String definition of the role hierarchy.

getReachableGrantedAuthorities

public GrantedAuthority[] getReachableGrantedAuthorities(GrantedAuthority[] authorities)

Description copied from interface: RoleHierarchy

This method returns an array of all reachable authorities.
Reachable authorities are the directly assigned authorities plus all authorities that are (transitively) reachable from them in the role hierarchy.
Example:
Role hierarchy: ROLE_A > ROLE_B and ROLE_B > ROLE_C.
Directly assigned authority: ROLE_A.
Reachable authorities: ROLE_A, ROLE_B, ROLE_C.

Specified by:

getReachableGrantedAuthorities in interface RoleHierarchy

Parameters:

authorities - - Array of the directly assigned authorities.

Returns:

Array of all reachable authorities given the assigned authorities.