Config
@EnableWebSecurity
class SecurityConfig extends WebSecurityConfigurerAdapter {
@Value("${spring.security.oauth2.resourceserver.jwt.jwk-set-uri}")
String jwkSetUri;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests(requests -> requests
.antMatchers(HttpMethod.GET, "/message/**").hasRole("test-role")
.anyRequest().authenticated()
).oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt);
}
@Bean
JwtAuthenticationConverter jwtAuthenticationConverter() {
JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(new RoleMapper());
return jwtAuthenticationConverter;
}
@Bean
JwtDecoder jwtDecoder() {
return NimbusJwtDecoder.withJwkSetUri(jwkSetUri).build();
}
@SuppressWarnings("unchecked")
static class RoleMapper implements Converter<Jwt, Collection<GrantedAuthority>> {
@Override
public Collection<GrantedAuthority> convert(Jwt jwt) {
final Map<String, Collection<String>> realmAccess = (Map<String, Collection<String>>) jwt.getClaims().get("realm_access");
return realmAccess.get("roles").stream()
.map(roleName -> "ROLE_" + roleName)
.map(SimpleGrantedAuthority::new)
.collect(Collectors.toList());
}
}
}
Test
@Test
void test() throws Exception {
MockHttpServletResponse response = mvc.perform(get("/message")
.with(jwt().authorities(new SimpleGrantedAuthority("ROLE_test_role"))))
.andReturn()
.getResponse();
assertThat(response.getStatus()).as("Response has incorrect HTTP status.").isEqualTo(HttpStatus.OK.value());
}
Logs
2021-08-31 09:28:12.862 TRACE 119643 --- [ main] o.s.s.w.a.i.FilterSecurityInterceptor : Authorizing filter invocation [GET /message] with attributes [hasRole('ROLE_test-role')]
2021-08-31 09:28:12.866 TRACE 119643 --- [ main] o.s.s.w.a.expression.WebExpressionVoter : Voted to deny authorization
2021-08-31 09:28:12.866 TRACE 119643 --- [ main] o.s.s.w.a.i.FilterSecurityInterceptor : Failed to authorize filter invocation [GET /message] with attributes [hasRole('ROLE_test-role')] using AffirmativeBased [DecisionVoters=[org.springframework.security.web.access.expression.WebExpressionVoter@2503ec73], AllowIfAllAbstainDecisions=false]
2021-08-31 09:28:12.867 TRACE 119643 --- [ main] o.s.b.f.s.DefaultListableBeanFactory : Returning cached instance of singleton bean 'delegatingApplicationListener'
2021-08-31 09:28:12.868 TRACE 119643 --- [ main] o.s.s.w.a.ExceptionTranslationFilter : Sending JwtAuthenticationToken [Principal=org.springframework.security.oauth2.jwt.Jwt@bbd01fb9, Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[ROLE_test_role]] to access denied handler since access is denied
org.springframework.security.access.AccessDeniedException: Access is denied
at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:73) ~[spring-security-core-5.5.2.jar:5.5.2]
at org.springframework.security.access.intercept.AbstractSecurityInterceptor.attemptAuthorization(AbstractSecurityInterceptor.java:238) ~[spring-security-core-5.5.2.jar:5.5.2]
Spring boot version - 2.5.4 Why does the WebExpressionVoter doesn't resolve the granted authority? What am I missing?(Tried with actual auth server too, same error) I tested with multiple previous version of spring boot but no joy. Any advice/recommendations/suggestions please
In the test you use ROLE_test_role and in the security configuration you have test-role - one with hyphen, one with underscore. I think that's the problem.