Merge pull request #55 from pawl1n/fix_role_hierarchy

fix: allow access to endpoints using role hierarchy

src/main/java/ua/kishkastrybaie/security/SecurityConfiguration.java

@@ -19,6 +19,7 @@
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.ProviderManager;
 import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
+import org.springframework.security.authorization.AuthorityAuthorizationManager;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@@ -33,6 +34,7 @@
 import org.springframework.security.oauth2.jwt.NimbusJwtEncoder;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
@@ -65,6 +67,10 @@ public PasswordEncoder passwordEncoder() {
 
   @Bean
   public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
+    AuthorityAuthorizationManager<RequestAuthorizationContext> hasRoleUser =
+        AuthorityAuthorizationManager.hasRole(Role.USER.name());
+    hasRoleUser.setRoleHierarchy(roleHierarchy());
+
     return httpSecurity
         .csrf(AbstractHttpConfigurer::disable)
         .cors(Customizer.withDefaults())
@@ -75,7 +81,7 @@ public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws
                     .requestMatchers(GET, PUBLIC_GET_ENDPOINTS)
                     .permitAll()
                     .requestMatchers(USER_ENDPOINTS)
-                    .hasRole(Role.USER.name())
+                    .access(hasRoleUser)
                     .anyRequest()
                     .hasRole(Role.ADMIN.name()))
         .sessionManagement(
@@ -88,9 +94,10 @@ public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws
   @Bean
   RoleHierarchy roleHierarchy() {
     Map<String, List<String>> roleHierarchyMap = new HashMap<>();
-    roleHierarchyMap.put(Role.ADMIN.name(), List.of(Role.USER.name()));
+    roleHierarchyMap.put(Role.ADMIN.withPrefix(), List.of(Role.USER.withPrefix()));
     RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl();
     roleHierarchy.setHierarchy(RoleHierarchyUtils.roleHierarchyFromMap(roleHierarchyMap));
+
     return roleHierarchy;
   }
 
@@ -107,7 +114,6 @@ CorsConfigurationSource corsConfigurationSource() {
     return source;
   }
 
-
   @Bean
   @Primary
   JwtEncoder jwtAccessTokenEncoder() {
@@ -135,7 +141,8 @@ JwtDecoder jwtRefreshTokenDecoder() {
   @Bean
   @Qualifier("refreshToken")
   JwtAuthenticationProvider jwtAuthenticationProvider() {
-    JwtAuthenticationProvider jwtAuthenticationProvider = new JwtAuthenticationProvider(jwtRefreshTokenDecoder());
+    JwtAuthenticationProvider jwtAuthenticationProvider =
+        new JwtAuthenticationProvider(jwtRefreshTokenDecoder());
     jwtAuthenticationProvider.setJwtAuthenticationConverter(jwtToUserConverter);
     return jwtAuthenticationProvider;
   }

src/main/java/ua/kishkastrybaie/user/Role.java

@@ -2,5 +2,9 @@
 
 public enum Role {
   USER,
-  ADMIN
+  ADMIN;
+
+  public String withPrefix() {
+    return "ROLE_" + name().toUpperCase();
+  }
 }

src/main/java/ua/kishkastrybaie/user/User.java

@@ -54,7 +54,7 @@ public void setEmail(String email) {
 
   @Override
   public Collection<? extends GrantedAuthority> getAuthorities() {
-    return List.of(new SimpleGrantedAuthority("ROLE_" + role.name()));
+    return List.of(new SimpleGrantedAuthority(role.withPrefix()));
   }
 
   @Override