public class RoleHierarchyImpl extends Object implements RoleHierarchy
This class defines a role hierarchy for use with the UserDetailsServiceWrapper.
Here is an example configuration of a role hierarchy (hint: read the ">" sign as "includes"):
<property name="hierarchy"> <value> ROLE_A > ROLE_B ROLE_B > ROLE_AUTHENTICATED ROLE_AUTHENTICATED > ROLE_UNAUTHENTICATED </value> </property>
Explanation of the above:
In effect every user with ROLE_A also has ROLE_B, ROLE_AUTHENTICATED and ROLE_UNAUTHENTICATED;
every user with ROLE_B also has ROLE_AUTHENTICATED and ROLE_UNAUTHENTICATED;
every user with ROLE_AUTHENTICATED also has ROLE_UNAUTHENTICATED.
Hierarchical Roles will dramatically shorten your access rules (and also make the access rules much more elegant).
Consider this access rule for Spring Security's RoleVoter (background: every user that
is authenticated should be able to log out):
With hierarchical roles this can now be shortened to:
In addition to shorter rules this will also make your access rules more readable and your intentions clearer.
|Constructor and Description|
|Modifier and Type||Method and Description|
Returns an array of all reachable authorities.
Set the role hierarchy and pre-calculate for every role the set of all reachable roles, i.e.
public void setHierarchy(String roleHierarchyStringRepresentation)
roleHierarchyStringRepresentation- - String definition of the role hierarchy.
public Collection<GrantedAuthority> getReachableGrantedAuthorities(Collection<? extends GrantedAuthority> authorities)
Reachable authorities are the directly assigned authorities plus all authorities that are (transitively) reachable from them in the role hierarchy.
Role hierarchy: ROLE_A > ROLE_B and ROLE_B > ROLE_C.
Directly assigned authority: ROLE_A.
Reachable authorities: ROLE_A, ROLE_B, ROLE_C.