I can't seem to get my security configuration right. No matter what I do when using hasRole
my endpoints always return 403.
Also I can't get anything to work unless I duplicate my antMatchers
under both .requestMatchers()
and .authorizeRequests()
. I'm clearly missing something here.
Basically I want everything to require authentication but a few endpoints only to be accessable if the user is member of certain groups (for now just admin).
My security configuration is as follows. Everything beside hasRole
works.
@EnableGlobalMethodSecurity(prePostEnabled = true) @EnableWebSecurity @Configuration public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .csrf().disable() .requestMatchers() .antMatchers(HttpMethod.GET, "/v2/api-docs", "/swagger-resources/**", "/swagger-ui.html") .antMatchers(HttpMethod.GET, "/users") .and() .authorizeRequests() .antMatchers(HttpMethod.GET, "/v2/api-docs", "/swagger-resources/**", "/swagger-ui.html").permitAll() .antMatchers(HttpMethod.GET, "/users").hasRole("ADMIN") .anyRequest().authenticated(); } // Inspiration: https://spring.io/blog/2015/06/08/cors-support-in-spring-framework#comment-2416096114 @Override public void configure(WebSecurity web) throws Exception { web .ignoring() .antMatchers(HttpMethod.OPTIONS, "/**"); } }
My AuthenticationConfiguration is as follows
@Configuration @EnableResourceServer public class AuthenticationConfiguration extends GlobalAuthenticationConfigurerAdapter { private final UserDetailsService userService; private final PasswordEncoder passwordEncoder; public AuthenticationConfiguration(UserDetailsService userService, PasswordEncoder passwordEncoder) { this.userService = userService; this.passwordEncoder = passwordEncoder; } @Override public void init(AuthenticationManagerBuilder auth) throws Exception { auth .userDetailsService(userService) .passwordEncoder(passwordEncoder); } }
My AuthorizationServerConfiguration is as follows
@Configuration @EnableAuthorizationServer public class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter { private final AuthenticationManager authenticationManager; public AuthorizationServerConfiguration(AuthenticationManager authenticationManager) { this.authenticationManager = authenticationManager; } @Override public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception { endpoints.authenticationManager(authenticationManager); } @Override public void configure(ClientDetailsServiceConfigurer clients) throws Exception { clients .inMemory() .withClient("html5") .secret("password") .authorizedGrantTypes("password") .scopes("openid"); } }
I'll happily post my user service and other stuff. But everything seems to work beside hasRole
and Principal
is loaded with the right authorities (roles). But please let me know if I should post any more code.
The entire source code can be found here.
1 Answers
Answers 1
Have you tried with "ROLE_ADMIN" rather than just "ADMIN"? Take a look at this for reference:
0 comments:
Post a Comment