0

I am trying out the new Spring Authorization Server, and I have hit a dead end in my endless googling.

Without the @Secured and @EnableGlobalMethodSecurity configured, it works like a charm, but the moment I try to secure the resource server with the above annotations I now get a 403 Forbidden error.

enter image description here

Authorization Server Configuration

DefaultSecurityConfig.java enter image description here

MongoDBUserDetailsService.java (User Detail Service)

enter image description here The roles are in the format of "ADMIN" without the prefix "ROLE_" since its already added during runtime.

Resource Server Configuration

ResourceServerConfig.java enter image description here

ArticlesController.java enter image description here

Raymond Nathan
  • 19
  • 4
  • Dont feel discouraged by downvotes. Someone is consistently downvoting spring authorization server related questions even though there is 0 documentation. Samples cover only basic scenarios and there are very little resources online. After spending weeks unsuccessfully trying to replace old authroization server with the new one. Digging through the source code and tests i can tell you i do not (yet) know the answer to your question. I am guessing the down voter is expecting everyone to get deep understanding of IETF specification, which i, admittedly, do not have. – SeaBiscuit Dec 12 '21 at 17:38
  • It seems you may be confusing roles, authorities and scopes. Take a look at the question below to understand the difference. In short, it doesn't make sense to use roles in the resource server. https://stackoverflow.com/questions/68693386/using-user-roles-in-resource-server-to-restrict-acces-on-path/68723813#68723813 – Eleftheria Stein-Kousathana Dec 14 '21 at 12:41
  • @EleftheriaStein-Kousathana I needed to use both scopes for OAuth client authorization and also user role to restrict the API's. I managed to find a way to do it in my answer by retrieving the user roles using the username claim from token and setting the authorities to the token again. – Raymond Nathan Dec 17 '21 at 04:02

1 Answers1

0

I kinda figured out a way to do it, which was to implement a custom converter for my jwt token, where I then can query the user and their roles from db using the claim from token and then injecting that to the request filter.

CustomJWTAuthenticationConverter ResourceServer SecurityFilterChain

Raymond Nathan
  • 19
  • 4