Class RoleHierarchyImpl

  • All Implemented Interfaces:

    public class RoleHierarchyImpl
    extends java.lang.Object
    implements RoleHierarchy

    This class defines a role hierarchy for use with various access checking components.

    Here is an example configuration of a role hierarchy (hint: read the ">" sign as "includes"):

         <property name="hierarchy">
                 ROLE_A > ROLE_B
                 ROLE_B > ROLE_AUTHENTICATED

    Explanation of the above:

    • In effect every user with ROLE_A also has ROLE_B, ROLE_AUTHENTICATED and ROLE_UNAUTHENTICATED;
    • every user with ROLE_B also has ROLE_AUTHENTICATED and ROLE_UNAUTHENTICATED;

    Hierarchical Roles will dramatically shorten your access rules (and also make the access rules much more elegant).

    Consider this access rule for Spring Security's RoleVoter (background: every user that is authenticated should be able to log out):

    With hierarchical roles this can now be shortened to:
    In addition to shorter rules this will also make your access rules more readable and your intentions clearer.
    • Method Summary

      All Methods Instance Methods Concrete Methods 
      Modifier and Type Method Description
      java.util.Collection<GrantedAuthority> getReachableGrantedAuthorities​(java.util.Collection<? extends GrantedAuthority> authorities)
      Returns an array of all reachable authorities.
      void setHierarchy​(java.lang.String roleHierarchyStringRepresentation)
      Set the role hierarchy and pre-calculate for every role the set of all reachable roles, i.e.
      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
    • Constructor Detail

      • RoleHierarchyImpl

        public RoleHierarchyImpl()
    • Method Detail

      • setHierarchy

        public void setHierarchy​(java.lang.String roleHierarchyStringRepresentation)
        Set the role hierarchy and pre-calculate for every role the set of all reachable roles, i.e. all roles lower in the hierarchy of every given role. Pre-calculation is done for performance reasons (reachable roles can then be calculated in O(1) time). During pre-calculation, cycles in role hierarchy are detected and will cause a CycleInRoleHierarchyException to be thrown.
        roleHierarchyStringRepresentation - - String definition of the role hierarchy.
      • getReachableGrantedAuthorities

        public java.util.Collection<GrantedAuthority> getReachableGrantedAuthorities​(java.util.Collection<? extends GrantedAuthority> authorities)
        Description copied from interface: RoleHierarchy
        Returns an array of all reachable authorities.

        Reachable authorities are the directly assigned authorities plus all authorities that are (transitively) reachable from them in the role hierarchy.

        Role hierarchy: ROLE_A > ROLE_B > ROLE_C.
        Directly assigned authority: ROLE_A.
        Reachable authorities: ROLE_A, ROLE_B, ROLE_C.

        Specified by:
        getReachableGrantedAuthorities in interface RoleHierarchy
        authorities - - List of the directly assigned authorities.
        List of all reachable authorities given the assigned authorities.