Closed ttasjwi closed 2 weeks ago
Hi, @ttasjwi. Thanks for the report.
Can you clarify what is inconsistent between the two configurations?
Hi, @ttasjwi. Thanks for the report.
Can you clarify what is inconsistent between the two configurations?
Hi,
To clarify the inconsistencies between the two configurations:
When using the traditional DSL configuration, the RoleHierarchy works as expected. However, when using the Kotlin DSL configuration, the RoleHierarchy seems to behave inconsistently. For example, an ADMIN user should be able to access the /user
endpoint, but in practice, this is not always the case.
Here's a summary of the issue I’m encountering:
The only difference between the two setups is the declaration of the securityFilterChain method. All other components, including the Controller, UserDetailsService, and RoleHierarchy bean, remain the same.
Here are the two securityFilterChain configurations for comparison:
@Bean
fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http.authorizeHttpRequests {
it
.requestMatchers("/user").hasRole("USER")
.requestMatchers("/admin").hasRole("ADMIN")
.requestMatchers("/db").hasRole("DB")
}
.formLogin(Customizer.withDefaults())
.csrf { it.disable() }
return http.build()
}
import org.springframework.security.config.annotation.web.invoke
@Bean
fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
authorizeHttpRequests {
authorize("/user", hasRole("USER"))
authorize("/admin", hasRole("ADMIN"))
authorize("/db", hasRole("DB"))
authorize(anyRequest, authenticated)
}
formLogin { }
csrf { disable() }
}
return http.build()
}
I would like to know if I am missing something in my Kotlin DSL configuration or if there are additional steps required to properly set up the RoleHierarchy in Kotlin DSL.
Thank you for your assistance.
Hi @ttasjwi. I see that there is no support for RoleHierarchy
bean in the authorizeHttpRequests
Kotlin DSL. The issue https://github.com/spring-projects/spring-security/issues/13188 has added it but only to the Java DSL.
I'll repurpose this ticket to add the support to the Kotlin DSL.
Hello, Spring Security Team.
I have encountered an issue when configuring security with Kotlin DSL and RoleHierarchy. The behavior seems inconsistent compared to the traditional DSL configuration.
Controller
UserDetailsService
RoleHierarchy Bean
The RoleHierarchy bean is configured as follows:
Traditional DSL Configuration
Using the traditional DSL configuration, RoleHierarchy works as expected:
Kotlin DSL Configuration
However, when using the Kotlin DSL configuration, the RoleHierarchy seems to behave inconsistently:
Environment