HasRole always returns 403

Question

HasRole always returns 403

I cannot properly configure my security configuration. No matter what I do when using hasRole, my endpoints always return 403.

In addition, I cannot get anything to work unless I duplicate mine antMatchersunder .requestMatchers()and .authorizeRequests(). I am clearly missing something.

Basically, I want everything to require authentication, but several endpoints are only for access if the user is a member of certain groups (now just an administrator).

My security configuration is as follows. Everything near hasRoleworks.

@EnableGlobalMethodSecurity(prePostEnabled = true)
@EnableWebSecurity
@Configuration
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .csrf().disable()
            .requestMatchers()
                .antMatchers(HttpMethod.GET, "/v2/api-docs", "/swagger-resources/**", "/swagger-ui.html")
                .antMatchers(HttpMethod.GET, "/users")
                .and()
            .authorizeRequests()
                .antMatchers(HttpMethod.GET, "/v2/api-docs", "/swagger-resources/**", "/swagger-ui.html").permitAll()
                .antMatchers(HttpMethod.GET, "/users").hasRole("ADMIN")    
                .anyRequest().authenticated();
    }

    // Inspiration: https://spring.io/blog/2015/06/08/cors-support-in-spring-framework#comment-2416096114
    @Override
    public void configure(WebSecurity web) throws Exception {
        web
            .ignoring()
                .antMatchers(HttpMethod.OPTIONS, "/**");
    }
}

My authentication. The configuration is as follows.

@Configuration
@EnableResourceServer
public class AuthenticationConfiguration extends GlobalAuthenticationConfigurerAdapter {
    private final UserDetailsService userService;
    private final PasswordEncoder passwordEncoder;

    public AuthenticationConfiguration(UserDetailsService userService, PasswordEncoder passwordEncoder) {
        this.userService = userService;
        this.passwordEncoder = passwordEncoder;
    }

    @Override
    public void init(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .userDetailsService(userService)
                .passwordEncoder(passwordEncoder);
    }
}

My AuthorizationServerConfiguration is as follows

@Configuration
@EnableAuthorizationServer
public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
    private final AuthenticationManager authenticationManager;

    public AuthorizationServerConfiguration(AuthenticationManager authenticationManager) {
        this.authenticationManager = authenticationManager;
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.authenticationManager(authenticationManager);
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients
                .inMemory()
                .withClient("html5")
                .secret("password")
                .authorizedGrantTypes("password")
                .scopes("openid");
    }
}

. , , hasRole, Principal (). , , , .

.

+6

spring spring-security spring-security-oauth2

user672009 30 . '17 9:33

2

ritesh.garg · Answer 1 · 2017-05-07T16:11:37+0000

"ROLE_ADMIN", "ADMIN"? :

Spring " ROLE_ " ?

Riiverside · Answer 2 · 2017-05-10T20:56:51+0000

, OAuth2, . webapps, auth ( , ....), , , -.

auth:

@EnableAuthorizationServer
@Configuration
public class OAuth2Config extends AuthorizationServerConfigurerAdapter {

    private TokenStore tokenStore;
    private DataSource dataSource;

    @Autowired
    public OAuth2Config(TokenStore tokenStore,
                        DataSource dataSource) {
        this.tokenStore = tokenStore;
        this.dataSource = dataSource;
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.jdbc(dataSource);
    }

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.tokenStore(tokenStore);
    }


    @Configuration
    public static class TokenStoreConfiguration {
        @Bean
        public TokenStore tokenStore(DataSource dataSource) {
            return new JdbcTokenStore(dataSource);
        }
    }
}

:

@EnableResourceServer
@Configuration
public class OAuth2Config extends ResourceServerConfigurerAdapter {
    public static final String PROPERTY_RESOURCE_ID = "com.test.oauth.resourceId";

    private Environment environment;
    private TokenStore tokenStore;

    @Autowired
    public OAuth2Config(Environment environment,
                        TokenStore tokenStore) {
        this.environment = environment;
        this.tokenStore = tokenStore;
    }

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
        resources.tokenStore(tokenStore)
                .resourceId(environment.getProperty(PROPERTY_RESOURCE_ID))
                .stateless(true);
    }

    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/demo")
                    .access("hasRole('DEMO')")

                .anyRequest().denyAll()
                .and()
                .formLogin().disable()
                .logout().disable()
                .jee().disable()
                .x509().disable();
    }

    @Configuration
    public static class TokenStoreConfiguration {
        @Bean
        public TokenStore tokenStore(DataSource dataSource) {
            return new JdbcTokenStore(dataSource);
        }
    }
}

, DataSource bean. , spring OAuth2 ( , ).

, ( , , , JDBC):

bean TokenStore InMemoryTokenStore JdbcTokenStore
inMemory() autwired DataSource
requestMatchers() , authorizeRequests() . oauth OAuth.

: ritesh.garg, , , , , , spring Security OAuth2 ( , , )

HasRole always returns 403

More articles: