diff --git a/messaging/src/main/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandler.java b/messaging/src/main/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandler.java index ee44c967b4..9f9e74bdb6 100644 --- a/messaging/src/main/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandler.java +++ b/messaging/src/main/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandler.java @@ -40,6 +40,7 @@ public class DefaultMessageSecurityExpressionHandler extends AbstractSecurity protected SecurityExpressionOperations createSecurityExpressionRoot(Authentication authentication, Message invocation) { MessageSecurityExpressionRoot root = new MessageSecurityExpressionRoot(authentication,invocation); root.setTrustResolver(trustResolver); + root.setRoleHierarchy(getRoleHierarchy()); return root; } diff --git a/messaging/src/test/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandlerTests.java b/messaging/src/test/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandlerTests.java index 8cb3c19080..742b4ef9c3 100644 --- a/messaging/src/test/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandlerTests.java +++ b/messaging/src/test/java/org/springframework/security/messaging/access/expression/DefaultMessageSecurityExpressionHandlerTests.java @@ -28,8 +28,10 @@ import org.springframework.expression.Expression; import org.springframework.messaging.Message; import org.springframework.messaging.support.GenericMessage; import org.springframework.security.access.expression.ExpressionUtils; +import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl; import org.springframework.security.authentication.AnonymousAuthenticationToken; import org.springframework.security.authentication.AuthenticationTrustResolver; +import org.springframework.security.authentication.TestingAuthenticationToken; import org.springframework.security.core.Authentication; import org.springframework.security.core.authority.AuthorityUtils; @@ -75,4 +77,16 @@ public class DefaultMessageSecurityExpressionHandlerTests { assertThat(ExpressionUtils.evaluateAsBoolean(expression, context)).isTrue(); } + + @Test + public void roleHierarchy() { + authentication = new TestingAuthenticationToken("admin", "pass", "ROLE_ADMIN"); + RoleHierarchyImpl roleHierarchy = new RoleHierarchyImpl(); + roleHierarchy.setHierarchy("ROLE_ADMIN > ROLE_USER"); + handler.setRoleHierarchy(roleHierarchy); + EvaluationContext context = handler.createEvaluationContext(authentication, message); + Expression expression = handler.getExpressionParser().parseExpression("hasRole('ROLE_USER')"); + + assertThat(ExpressionUtils.evaluateAsBoolean(expression, context)).isTrue(); + } }