SEC-2328: Add hasAnyRole to ExpressionUrlAuthorizationConfiguration

2025-02-26 09:24:53 +00:00 · 2013-09-23 10:51:08 -05:00 · 2013-09-23 10:51:08 -05:00 · 28fb6ba14b
commit 28fb6ba14b
parent b16c17f70b
2 changed files with 35 additions and 0 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationConfigurer.java
@ -157,6 +157,11 @@ public final class ExpressionUrlAuthorizationConfigurer<H extends HttpSecurityBu
        return expressionHandler;
    }

+    private static String hasAnyRole(String... authorities) {
+        String anyAuthorities = StringUtils.arrayToDelimitedString(authorities, "','ROLE_");
+        return "hasAnyRole('ROLE_" + anyAuthorities + "')";
+    }
+
    private static String hasRole(String role) {
        Assert.notNull(role, "role cannot be null");
        if (role.startsWith("ROLE_")) {
@ -215,6 +220,22 @@ public final class ExpressionUrlAuthorizationConfigurer<H extends HttpSecurityBu
            return access(ExpressionUrlAuthorizationConfigurer.hasRole(role));
        }

+        /**
+         * Shortcut for specifying URLs require any of a number of roles. If you
+         * do not want to have "ROLE_" automatically inserted see
+         * {@link #hasAnyAuthority(String...)}
+         *
+         * @param roles
+         *            the roles to require (i.e. USER, ADMIN, etc). Note, it
+         *            should not start with "ROLE_" as this is automatically
+         *            inserted.
+         * @return the {@link ExpressionUrlAuthorizationConfigurer} for further
+         *         customization
+         */
+        public ExpressionUrlAuthorizationConfigurer<H> hasAnyRole(String... roles) {
+            return access(ExpressionUrlAuthorizationConfigurer.hasAnyRole(roles));
+        }
+
        /**
         * Specify that URLs require a particular authority.
         *
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationsTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/ExpressionUrlAuthorizationsTests.groovy
@ -46,6 +46,20 @@ public class ExpressionUrlAuthorizationConfigurerTests extends BaseSpringSpec {
            expression == "hasAnyAuthority('ROLE_USER','ROLE_ADMIN')"
    }

+    def "hasAnyRole('USER')"() {
+        when:
+            def expression = ExpressionUrlAuthorizationConfigurer.hasAnyRole("USER")
+        then:
+            expression == "hasAnyRole('ROLE_USER')"
+    }
+
+    def "hasAnyRole('USER','ADMIN')"() {
+        when:
+            def expression = ExpressionUrlAuthorizationConfigurer.hasAnyRole("USER","ADMIN")
+        then:
+            expression == "hasAnyRole('ROLE_USER','ROLE_ADMIN')"
+    }
+
    def "hasRole('ROLE_USER') is rejected due to starting with ROLE_"() {
        when:
            def expression = ExpressionUrlAuthorizationConfigurer.hasRole("ROLE_USER")