-1

I am developing authorization on the site using JWT tokens: the transfer of the access token and its validation are performed without errors in Postman, enter image description here but when setting HTTP header in browser

       function sendHello() {
            let result = document.querySelector('.st');
            let res_token = result.toString();
            fetch('http://localhost:8080/api/hello/user', {
                method: 'GET',
                headers: new Headers({
                    'Authorization': 'Bearer, ' + res_token,
                    'Content-Type': 'application/json'
                })
            });
        }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        return http
                .httpBasic().disable()
                .csrf().disable()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                .and()
                .authorizeHttpRequests(
                        authz -> authz
                                .antMatchers("/api/auth/login", "/api/auth/token").permitAll()
                                .anyRequest().authenticated()
                                .and()
                                .addFilterAfter(jwtFilter, UsernamePasswordAuthenticationFilter.class)
                ).build();

    @PreAuthorize("hasAuthority('USER')")
    @GetMapping("hello/user")
    public ResponseEntity<String> helloUser() {
        final JwtAuthentication authInfo = authService.getAuthInfo();
        return ResponseEntity.ok("Hello user " + authInfo.getPrincipal() + "!");
    }

I get an error:

There was an unexpected error (type=Forbidden, status=403).
Access Denied
org.springframework.security.access.AccessDeniedException: Access is denied
    at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:77)

i tried to find error in request params in fetch. But the request in postman is similar:

curl --location 'https://localhost:8081/person/hello/user'\
--header 'Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJhbnRvbiIsImV4cCI6MTY5MzIyNzM4MSwicm9sZXMiOlsiVVNFUiJdLCJmaXJzdE5hbWUiOiLQkNC90YLQvtC9In0.s3drUolTZ1655iX7j3U4ecdqAZpID1YIlfwDG5_0xbXE7M7m8HjahSbT3-AszR9vbvrUxhpYIqFQjUQEPgCtyw'
andreydragunov
  • 1
  • 1
  • several things, storing JWTs in browsers or issuing JWTs to browsers is very dangerous, and should never be given out and never be accessible using javascript. Browsers should only store tokens in cookies with the httponly flag set. Second, you have not configured your SecurityFilterChain to accept tokens. Here is tutorial for configuring spring security and jwts correctly https://github.com/Tandolf/spring-security-jwt-demo But this should only be used if a microservice is talking to a different microservice. Tokens should never be sent to end clients/browsers. – Toerktumlare Aug 29 '23 at 11:15
  • also you should enable spring security debug logs and read the reason for your forbidden, please learn how to debug – Toerktumlare Aug 29 '23 at 11:18
  • @Toerktumlare, I added jwtFilter to Spring Security configuration. I will check the debug log, thanks – andreydragunov Aug 29 '23 at 11:58
  • @Toerktumlare, It's strange that in Postman Status 200 – andreydragunov Aug 29 '23 at 12:19
  • My guess is that the endpoint isnt secured at all, so it just ignores your header, but since you have provided no logs i cant tell and i prefer to not do guesswork – Toerktumlare Aug 29 '23 at 13:18

0 Answers0