Search code examples
spring-security

using spring security 6.2.4 but I can't find the hasScope check in HttpSecurity

According to this documentation https://docs.spring.io/spring-security/reference/servlet/oauth2/resource-server/jwt.html

import org.springframework.security.oauth2.core.authorization.OAuth2AuthorizationManagers.hasScope

@Configuration
@EnableWebSecurity
class MyCustomSecurityConfiguration {
    @Bean
    open fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http {
            authorizeRequests {
                authorize("/messages/**", hasScope("message:read"))
                authorize(anyRequest, authenticated)
            }
            oauth2ResourceServer {
                jwt {
                    jwtAuthenticationConverter = myConverter()
                }
            }
        }
        return http.build()
    }
}

However, the authorizeRequests is deprecated but anyway it does not contain the authorize method and no hasScope. I tried also with authorizeHttpRequests and no luck. please see my attached screenshot.

no authorize for the request

Can you please explain to me what am I missing?

Thank you.

Solution

  • As I also see there is no way having:

    authorize("/messages/**", hasScope("message:read"))

    But I could suggest having something like:

    authorize("/messages/**", hasAuthority("SCOPE_message:read"))