From 109f6e7028dd6c074e449c775639e9a82e2197b5 Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Fri, 24 Feb 2023 13:43:43 -0700 Subject: [PATCH] Add Note about RoleHierarchy Closes gh-12766 --- .../ROOT/pages/servlet/authorization/architecture.adoc | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/modules/ROOT/pages/servlet/authorization/architecture.adoc b/docs/modules/ROOT/pages/servlet/authorization/architecture.adoc index f4ca5b07e9..2e0dbf6fa8 100644 --- a/docs/modules/ROOT/pages/servlet/authorization/architecture.adoc +++ b/docs/modules/ROOT/pages/servlet/authorization/architecture.adoc @@ -225,6 +225,11 @@ AccessDecisionVoter hierarchyVoter() { ---- ==== +[NOTE] +`RoleHierarchy` bean configuration is not yet ported over to `@EnableMethodSecurity`. +As such this example is using `AccessDecisionVoter`. +If you need `RoleHierarchy` support for method security, please continue using `@EnableGlobalMethodSecurity` until https://github.com/spring-projects/spring-security/issues/12783 is complete. + Here we have four roles in a hierarchy `ROLE_ADMIN => ROLE_STAFF => ROLE_USER => ROLE_GUEST`. A user who is authenticated with `ROLE_ADMIN`, will behave as if they have all four roles when security constraints are evaluated against an `AuthorizationManager` adapted to call the above `RoleHierarchyVoter`. The `>` symbol can be thought of as meaning "includes".