From 65c3c97b3af705729fdb55cb10db28192c6ff2e9 Mon Sep 17 00:00:00 2001
From: Avgustin Marinov <Avgustin.Marinov@bosch.com>
Date: Thu, 11 Jun 2026 16:31:39 +0300
Subject: [PATCH] Declare access controllers as infra (#3127)

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>
---
 .../jpa/acm/AccessControllerConfiguration.java           | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/acm/AccessControllerConfiguration.java b/hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/acm/AccessControllerConfiguration.java
index ce687356c..2c4edf1a5 100644
--- a/hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/acm/AccessControllerConfiguration.java
+++ b/hawkbit-repository/hawkbit-repository-jpa/src/main/java/org/eclipse/hawkbit/repository/jpa/acm/AccessControllerConfiguration.java
@@ -40,11 +40,13 @@ import org.eclipse.hawkbit.repository.qfields.TargetFields;
 import org.eclipse.hawkbit.repository.qfields.TargetTypeFields;
 import org.jspecify.annotations.NullMarked;
 import org.jspecify.annotations.Nullable;
+import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Primary;
+import org.springframework.context.annotation.Role;
 import org.springframework.data.jpa.domain.Specification;
 import org.springframework.expression.EvaluationContext;
 import org.springframework.security.access.PermissionEvaluator;
@@ -62,12 +64,14 @@ import org.springframework.util.function.SingletonSupplier;
 public class AccessControllerConfiguration {
 
     @Bean
+    @Role(BeanDefinition.ROLE_INFRASTRUCTURE)
     @ConditionalOnProperty(name = "hawkbit.acm.access-controller.target.enabled", havingValue = "true", matchIfMissing = true)
     AccessController<JpaTarget> targetAccessController() {
         return new DefaultAccessController<>(TargetFields.class, SpPermission.TARGET);
     }
 
     @Bean
+    @Role(BeanDefinition.ROLE_INFRASTRUCTURE)
     @ConditionalOnProperty(name = "hawkbit.acm.access-controller.action.enabled", havingValue = "true", matchIfMissing = true)
     AccessController<JpaAction> actionAccessController(final AccessController<JpaTarget> targetAccessController) {
         return new AccessController<>() {
@@ -110,30 +114,35 @@ public class AccessControllerConfiguration {
     }
 
     @Bean
+    @Role(BeanDefinition.ROLE_INFRASTRUCTURE)
     @ConditionalOnProperty(name = "hawkbit.acm.access-controller.target-type.enabled", havingValue = "true", matchIfMissing = true)
     AccessController<JpaTargetType> targetTypeAccessController() {
         return new DefaultAccessController<>(TargetTypeFields.class, SpPermission.TARGET_TYPE);
     }
 
     @Bean
+    @Role(BeanDefinition.ROLE_INFRASTRUCTURE)
     @ConditionalOnProperty(name = "hawkbit.acm.access-controller.software-module.enabled", havingValue = "true", matchIfMissing = true)
     AccessController<JpaSoftwareModule> softwareModuleAccessController() {
         return new DefaultAccessController<>(SoftwareModuleFields.class, SpPermission.SOFTWARE_MODULE);
     }
 
     @Bean
+    @Role(BeanDefinition.ROLE_INFRASTRUCTURE)
     @ConditionalOnProperty(name = "hawkbit.acm.access-controller.software-module-type.enabled", havingValue = "true", matchIfMissing = true)
     AccessController<JpaSoftwareModuleType> softwareModuleTypeAccessController() {
         return new DefaultAccessController<>(SoftwareModuleTypeFields.class, SpPermission.SOFTWARE_MODULE_TYPE);
     }
 
     @Bean
+    @Role(BeanDefinition.ROLE_INFRASTRUCTURE)
     @ConditionalOnProperty(name = "hawkbit.acm.access-controller.distribution-set.enabled", havingValue = "true", matchIfMissing = true)
     AccessController<JpaDistributionSet> distributionSetAccessController() {
         return new DefaultAccessController<>(DistributionSetFields.class, SpPermission.DISTRIBUTION_SET);
     }
 
     @Bean
+    @Role(BeanDefinition.ROLE_INFRASTRUCTURE)
     @ConditionalOnProperty(name = "hawkbit.acm.access-controller.distribution-set-type.enabled", havingValue = "true", matchIfMissing = true)
     AccessController<JpaDistributionSetType> distributionSetTypeAccessController() {
         return new DefaultAccessController<>(DistributionSetTypeFields.class, SpPermission.DISTRIBUTION_SET_TYPE);