GeoFence does not use roles from SecurityContext when checking rules

Description

When GeoFence/GeoServer is configured with authorization from HTTP header (preauthorized), the configured header fields are correctly extracted and synthesized to users and roles. When manually adding one of the roles set through the configured header and restricting access to eg. a layer via GeoFence rules, GeoFence does not use those.

I'm proposing a PR that extracts any roles from the Spring SecurityContext and adds them to the current user's roles determined by the GeoFence user resolver.

While this approach certainly works, I'd like some input from someone with the bigger picture in mind, I'm not that familiar with GeoServer/GeoFence security yet.

Proposed PR: https://github.com/geoserver/geofence/pull/101

Environment

Tested with GeoServer 2.12.2 and latest GeoFence (internal)

Assignee

Unassigned

Reporter

Andreas Schmitz

Triage

None

Fix versions

None

Affects versions

Components

Priority

Medium
Configure