spring-bootspring-securityoauth-2.0
SpringBoot3 filter requests based on a specific claims
I'm using springboot v3.2.3 with the following dependencies
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
Here my config
@Configuration
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(authorize -> authorize
.requestMatchers("swagger-ui/**", "/v3/api-docs/**").permitAll()
.anyRequest().authenticated())
.oauth2ResourceServer(oauth2 -> oauth2.jwt(Customizer.withDefaults()));
return http.build();
}
}
I have this in applications.properties
spring.security.oauth2.resourceserver.jwt.issuer-uri=<issuer-uri>
spring.security.oauth2.resourceserver.jwt.audiences=<app>
The jwt token verification works correctly (by allowing only the specified audience and the application uses the right issuer public certificate ). However, I want to filter based on other claims, like roles. what's the cleanest way to do so ?
Solution
In my case the claim names are slightly different ! the scope is under app_scopes claim and the role is under the app_roles claim, that's why SpringSecurity didn't map correctly theses claims with the authorities !
Hence in order to configure the roles/scopes we have to use a custom jwt converter ( which converts the jwt token into an authentication object )
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.stereotype.Component;
import java.util.*;
import java.util.stream.Collectors;
@Component
public class JwtGrantedAuthoritiesConverter implements Converter<Jwt, Collection<GrantedAuthority>> {
@Override
public Collection<GrantedAuthority> convert(Jwt jwt) {
List<GrantedAuthority> roles = ((List<String>) jwt.getClaims().get("app_roles")).stream()
.map(roleName -> "ROLE_" + roleName)
.map(SimpleGrantedAuthority::new)
.collect(Collectors.toList());
List<GrantedAuthority> scopes = ((List<String>)jwt.getClaims().get("app_scopes")).stream()
.map(scopeName -> "SCOPE_" + scopeName)
.map(SimpleGrantedAuthority::new)
.collect(Collectors.toList());
List<GrantedAuthority> authorities = new ArrayList<>(scopes);
authorities.addAll(roles);
return authorities;
}
}
Then we just need to wire the JwtGrantedAuthoritiesConverter with our SpringSecurity configuration (FilterChain
@Configuration
@EnableMethodSecurity
public class SecurityConfig {
private final JwtGrantedAuthoritiesConverter jwtGrantedAuthoritiesConverter;
public SecurityConfig(JwtGrantedAuthoritiesConverter jwtGrantedAuthoritiesConverter) {
this.jwtGrantedAuthoritiesConverter = jwtGrantedAuthoritiesConverter;
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http.authorizeHttpRequests(authorize -> authorize
.requestMatchers("swagger-ui/**", "/v3/api-docs/**").permitAll()
.requestMatchers("/test").access(AuthorizationManagers.allOf(
AuthorityAuthorizationManager.hasAuthority("SCOPE_super"),
AuthorityAuthorizationManager.hasAuthority("ROLE_adminit")
))
.anyRequest().authenticated())
.oauth2ResourceServer(oauth2 -> oauth2
.jwt(jwt -> jwt.jwtAuthenticationConverter(customJwtAuthenticationConverter())));
return http.build();
}
private JwtAuthenticationConverter customJwtAuthenticationConverter() {
JwtAuthenticationConverter converter = new JwtAuthenticationConverter();
converter.setJwtGrantedAuthoritiesConverter(jwtGrantedAuthoritiesConverter);
return converter;
}
}
Now we are able to manage the authorization !
The user's token should have SCOPE_super and ROLE_adminit to be able to access to the /test -secured- endpoint 👏
Obviously we can also use @PreAuthorize at the method level.
- PageRequest in Spring Boot undefined
- SunCertPathBuilderException when upgrading to Spring Boot 3.2
- Is it possible to control which requests will reset a session's inactivity in Spring Boot?
- Spring Boot pass a default value in return
- How to configure zipkin baseUrl in SpringBoot 3
- Spring boot test cases failed - java.lang.IllegalStateException: Failed to load ApplicationContext
- Access Entity fields at dev-time
- Failing to handle deserialization exceptions in batch listener
- When I delete data on Swagger I'm getting DataIntegrityViolationException
- Is it possible to use <int:poller> inside <int:router> in spring-integration 5.5.18?
- Cannot query a table with composite key in Hibernate
- JPA Native Query. Cannot select specific columns
- Spring Boot 2.5.0 generates plain.jar file. Can I remove it?
- Spring Security version 6 issues with SecurityFilterChain
- How to check signature of a token coming from Azure SSO
- controller not registered in spring
- How to trigger custom AuthenticationProvider for Cookie based authentication in Spring Boot?
- micrometer dynatrace registry vs. OneAgent process monitoring
- The use of Spring Security Meta Annotation
- How to disable csrf in Spring using application.properties?
- Tests in Spring Boot with database H2
- Spring Boot: Why do i get Content-Type 'application/octet-stream' is not supported , when i'm sending multipart/form-data?
- Broadcast SseEmitter to multiple clients
- What is the reason to disable csrf in spring boot web application?
- Reason to disable CSRF in spring boot
- Custom ObjectMapper with Spring RestClient (migrating from WebClient)
- Unable to resolve name [org.hibernate.spatial.dialect.postgis.PostgisDialect] as strategy [org.hibernate.dialect.Dialect]
- MapStruct mapper returns empty mapped object
- Why does a near-identical service not require @ComponentScan for accessing library beans?
- Multiple Entry point configuration is giving me 403 error for spring security 6