hasRole always return 403

I can't seem to get my security configuration right. No matter what I do when using hasRole my endpoints always return 403.

Also I can't get anything to work unless I duplicate my antMatchers under both .requestMatchers() and .authorizeRequests(). I'm clearly missing something here.

Basically I want everything to require authentication but a few endpoints only to be accessable if the user is member of certain groups (for now just admin).

My security configuration is as follows. Everything beside hasRole works.

@EnableGlobalMethodSecurity(prePostEnabled = true) @EnableWebSecurity @Configuration public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {     @Override     protected void configure(HttpSecurity http) throws Exception {         http             .csrf().disable()             .requestMatchers()                 .antMatchers(HttpMethod.GET, "/v2/api-docs", "/swagger-resources/**", "/swagger-ui.html")                 .antMatchers(HttpMethod.GET, "/users")                 .and()             .authorizeRequests()                 .antMatchers(HttpMethod.GET, "/v2/api-docs", "/swagger-resources/**", "/swagger-ui.html").permitAll()                 .antMatchers(HttpMethod.GET, "/users").hasRole("ADMIN")                     .anyRequest().authenticated();     }      // Inspiration: https://spring.io/blog/2015/06/08/cors-support-in-spring-framework#comment-2416096114     @Override     public void configure(WebSecurity web) throws Exception {         web             .ignoring()                 .antMatchers(HttpMethod.OPTIONS, "/**");     } } 

My AuthenticationConfiguration is as follows

@Configuration @EnableResourceServer public class AuthenticationConfiguration extends GlobalAuthenticationConfigurerAdapter {     private final UserDetailsService userService;     private final PasswordEncoder passwordEncoder;      public AuthenticationConfiguration(UserDetailsService userService, PasswordEncoder passwordEncoder) {         this.userService = userService;         this.passwordEncoder = passwordEncoder;     }      @Override     public void init(AuthenticationManagerBuilder auth) throws Exception {         auth                 .userDetailsService(userService)                 .passwordEncoder(passwordEncoder);     } } 

My AuthorizationServerConfiguration is as follows

@Configuration @EnableAuthorizationServer public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {     private final AuthenticationManager authenticationManager;      public AuthorizationServerConfiguration(AuthenticationManager authenticationManager) {         this.authenticationManager = authenticationManager;     }      @Override     public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {         endpoints.authenticationManager(authenticationManager);     }      @Override     public void configure(ClientDetailsServiceConfigurer clients) throws Exception {         clients                 .inMemory()                 .withClient("html5")                 .secret("password")                 .authorizedGrantTypes("password")                 .scopes("openid");     } } 

I'll happily post my user service and other stuff. But everything seems to work beside hasRole and Principal is loaded with the right authorities (roles). But please let me know if I should post any more code.

The entire source code can be found here.

1 Answers

Answers 1

Have you tried with "ROLE_ADMIN" rather than just "ADMIN"? Take a look at this for reference:

Spring security added prefix "ROLE_" to all roles name?

If You Enjoyed This, Take 5 Seconds To Share It

• Facebook
• Twitter
• Google+
• StumbleUpon
• Digg
• Delicious
• LinkedIn
• Reddit
• Technorati