Class RoleHierarchyImpl
- All Implemented Interfaces:
- RoleHierarchy
This class defines a role hierarchy for use with various access checking components.
Here is an example configuration of a role hierarchy (hint: read the ">" sign as "includes"):
     <property name="hierarchy">
         <value>
             ROLE_A > ROLE_B
             ROLE_B > ROLE_AUTHENTICATED
             ROLE_AUTHENTICATED > ROLE_UNAUTHENTICATED
         </value>
     </property>
 
 Explanation of the above:
- In effect every user with ROLE_A also has ROLE_B, ROLE_AUTHENTICATED and ROLE_UNAUTHENTICATED;
- every user with ROLE_B also has ROLE_AUTHENTICATED and ROLE_UNAUTHENTICATED;
- every user with ROLE_AUTHENTICATED also has ROLE_UNAUTHENTICATED.
Hierarchical Roles will dramatically shorten your access rules (and also make the access rules much more elegant).
Consider this access rule for Spring Security's RoleVoter (background: every user that is authenticated should be able to log out):
/logout.html=ROLE_A,ROLE_B,ROLE_AUTHENTICATEDWith hierarchical roles this can now be shortened to:
/logout.html=ROLE_AUTHENTICATEDIn addition to shorter rules this will also make your access rules more readable and your intentions clearer.
- 
Constructor SummaryConstructors
- 
Method SummaryModifier and TypeMethodDescriptiongetReachableGrantedAuthorities(Collection<? extends GrantedAuthority> authorities) Returns an array of all reachable authorities.voidsetHierarchy(String roleHierarchyStringRepresentation) Set the role hierarchy and pre-calculate for every role the set of all reachable roles, i.e.
- 
Constructor Details- 
RoleHierarchyImplpublic RoleHierarchyImpl()
 
- 
- 
Method Details- 
setHierarchySet the role hierarchy and pre-calculate for every role the set of all reachable roles, i.e. all roles lower in the hierarchy of every given role. Pre-calculation is done for performance reasons (reachable roles can then be calculated in O(1) time). During pre-calculation, cycles in role hierarchy are detected and will cause a CycleInRoleHierarchyException to be thrown.- Parameters:
- roleHierarchyStringRepresentation- - String definition of the role hierarchy.
 
- 
getReachableGrantedAuthoritiespublic Collection<GrantedAuthority> getReachableGrantedAuthorities(Collection<? extends GrantedAuthority> authorities) Description copied from interface:RoleHierarchyReturns an array of all reachable authorities.Reachable authorities are the directly assigned authorities plus all authorities that are (transitively) reachable from them in the role hierarchy. Example: 
 Role hierarchy: ROLE_A > ROLE_B > ROLE_C.
 Directly assigned authority: ROLE_A.
 Reachable authorities: ROLE_A, ROLE_B, ROLE_C.- Specified by:
- getReachableGrantedAuthoritiesin interface- RoleHierarchy
- Parameters:
- authorities- - List of the directly assigned authorities.
- Returns:
- List of all reachable authorities given the assigned authorities.
 
 
-