Spring oauth2 hasRole access denied

David Steiman picture David Steiman · Jan 29, 2016 · Viewed 10.1k times · Source

I am really new to OAuth2 and trying to build one server in roles auth.server for authorizing users and one keeping a protected resource...

I've got issues to secure with the ResourceServerConfigurerAdapter. It seems like he is ignoring all it's roles fetching form userInfoUrl...

so here the code:

AuthServer

@SpringBootApplication
@EnableAuthorizationServer
@EnableResourceServer
@RestController
public class Oa2AuthServerApplication {

    @RequestMapping("/user")
    public Principal user(Principal user) {
        return user;
    }
    public static void main(String[] args) {
        SpringApplication.run(Oa2AuthServerApplication.class, args);
    }
}

__

@Configuration
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{
    @Override
    @Bean
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.inMemoryAuthentication()
                .withUser("admin")
                .password("admin")
                .roles("ADMIN", "USER")
                .and()
                .withUser("user")
                .password("user")
                .roles("USER");
    }
}

__

@Configuration
public class OA2AuthConfig extends AuthorizationServerConfigurerAdapter {
    @Autowired
    private AuthenticationManager authenticationManager;

    @Override
    public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
        endpoints.authenticationManager(authenticationManager);
    }

    @Override
    public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
        clients.inMemory()
                .withClient("default")
                .secret("kx")
                .scopes("AUTH", "TRUST")
                .autoApprove(true)
                .authorities("ROLE_GUEST", "ROLE_USER", "ROLE_ADMIN")
                .authorizedGrantTypes("authorization_code", "implicit", "refresh_token");
    }
}

ResourceServer

@SpringBootApplication
@RestController
@EnableResourceServer
public class Oa2ResourceServerApplication {
    @RequestMapping("/")
    public String greet() {
        return UUID.randomUUID().toString() + "\r\n";
    }

    @RequestMapping("/forAdmin")
    public String admin() {
        return "hi admin!";
    }


    public static void main(String[] args) {
        SpringApplication.run(Oa2ResourceServerApplication.class, args);
    }
}

So getting token from authserver + calling "localhost:9091/" and "/forAdmin" works with this token.

But when I do this:

public class WebSecurityConfig extends ResourceServerConfigurerAdapter {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
                .antMatchers("/forAdmin").hasRole("USER");
    }

I get access denied....

to be sure, the roles are reaching the resource server, i have changed the geet() from above to

@RequestMapping("/")
    public String greet(Principal user) {
        if (user instanceof OAuth2Authentication) {
            log.info("having roles: {}", ((OAuth2Authentication) user).getAuthorities());
        }
        return UUID.randomUUID().toString() + "\r\n";
    }

and the console shows

d.k.auth.Oa2ResourceServerApplication : having roles: [{authority=ROLE_USER}]

So when "Principal" is the currently authenticated user, I assume there is a bug with the resourceserverer configurer....or I am doing something fatally wrong...

or both....I don't know

does anybody can help me in this problem?

Answer

mavogel picture mavogel · Jan 8, 2017

So JWT is necessary, without it does not work.

I solved it with the combination:

@PreAuthorize("#oauth2.hasScope('openid') and hasRole('ROLE_ADMIN')")

You can find a sample of a protected Resource here.