Spring boo authotization
-
The issue I am facing involves accessing a protected resource ("/admin") in my Spring Boot application, where all resources to which I impose a role constraint block access for all users, even those with the required role. The application uses Spring Security and OAuth 2.0, with JWT tokens for authentication and authorization. When a user successfully logs in and obtains a JWT token containing the appropriate roles (for example, "ROLE_ADMIN"), access to the protected resource is still denied.
I have checked several elements, including correct JWT token generation, proper decoding within the application, and Spring Security configuration. Despite these checks, the problem persists. When I attempt to access the "/admin" resource, authentication succeeds, but the authorities (Granted Authorities) appear to be empty, which may explain the access denial.
I have already adjusted the Spring Security configuration using hasAuthority("ROLE_ADMIN") in the authorizeHttpRequests method, but the problem persists. I wonder if there is something I might have missed in the Spring Security configuration, JWT token decoding, or any other part of the code that could influence access to the protected resource.
Below, I share a portion of my Spring Security configuration that could be relevant: https://github.com/RaselisonToky/login.git
I would appreciate any assistance in identifying the root cause of the problem and finding a solution. Thank you.
-
@tokyraselison2 Have you taken a look at our quickstart? It doesn't do authorization checks, but the way it sets up the oauth 2 resolver is a bit different than the way you do:
Are you sure you have set up the JWT to be signed by an RSA key? I don't know about spring, but some other frameworks don't work with HMAC signed JWTs because of the secret sharing problem.