Java Community | Help. Code. Learn.•3mo ago

Springboot ignoring roles

I am new to springboot and decided to follow a tutorial on how to create a JWT RestApi with it. Upon doing this I noticed that it now completely ignores my @PreAuthorize annotations. In a rest controller class:

    @PreAuthorize("hasRole('ADMIN')")
    @GetMapping("/admin")
    public String test() {
        return "Hello admin";
    }

    @PreAuthorize("hasRole('ADMIN')")
    @GetMapping("/admin")
    public String test() {
        return "Hello admin";
    }

My SecurityFilterChain in my securityConfiguration class:

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .csrf(csrf -> csrf.disable())
                .authorizeHttpRequests(authorize -> authorize
                        .anyRequest().authenticated()
                )
                .oauth2ResourceServer((oauth2) -> oauth2.jwt(Customizer.withDefaults()))
                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .httpBasic(Customizer.withDefaults());
        return http.build();
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .csrf(csrf -> csrf.disable())
                .authorizeHttpRequests(authorize -> authorize
                        .anyRequest().authenticated()
                )
                .oauth2ResourceServer((oauth2) -> oauth2.jwt(Customizer.withDefaults()))
                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .httpBasic(Customizer.withDefaults());
        return http.build();
    }

30 Replies

JavaBot•3mo ago

⌛ This post has been reserved for your question.

Hey @harry039804! Please use /close or the Close Post button above when your problem is solved. Please remember to follow the help guidelines. This post will be automatically marked as dormant after 300 minutes of inactivity.

TIP: Narrow down your issue to simple and precise questions to maximize the chance that others will reply in here.

harry039804OP•3mo ago

And my only user (which I have created for the test) does not have admin permissions however can see the results from /admin

    @Bean
    public UserDetailsService userDetailsService() {
        InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
        manager.createUser(User.withUsername("user").password("{noop}password").roles("USER").build());
        return manager;
    }

    @Bean
    public UserDetailsService userDetailsService() {
        InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
        manager.createUser(User.withUsername("user").password("{noop}password").roles("USER").build());
        return manager;
    }

dan1st•3mo ago

Can you enable TRACE or DEBUG logging for Spring Security and show the logs when making the reques?

harry039804OP•3mo ago

GET "/admin", parameters={}
Mapped to com.example.restAPI.controllers.HomeController#test()
Using 'text/plain', given [*/*] and supported [text/plain, */*, application/json, application/*+json]
Writing ["Hello admin"]
Completed 200 OK

GET "/admin", parameters={}
Mapped to com.example.restAPI.controllers.HomeController#test()
Using 'text/plain', given [*/*] and supported [text/plain, */*, application/json, application/*+json]
Writing ["Hello admin"]
Completed 200 OK

That's DEBUG ^

dan1st•3mo ago

And that's shown in the console?

harry039804OP•3mo ago

yes

dan1st•3mo ago

Did you enable logging like https://stackoverflow.com/a/47729991/10871900?

Stack Overflow

How do I enable logging for Spring Security?

I am setting up Spring Security to handle logging users in. I have logged in as a user, and am taken to an Access Denied error page upon successful login. I don't know what roles my user has actually

harry039804OP•3mo ago

I just enabled it on my application.properties

dan1st•3mo ago

what exactly did you enabled?

harry039804OP•3mo ago

debug = true

harry039804OP•3mo ago

harry039804OP•3mo ago

source: https://docs.spring.io/spring-boot/docs/1.5.22.RELEASE/reference/html/boot-features-logging.html

dan1st•3mo ago

oh I was specifically asking for Spring Security logging

harry039804OP•3mo ago

oh mb

dan1st•3mo ago

like there

harry039804OP•3mo ago

Securing GET /admin
Authenticated token
Set SecurityContextHolder to JwtAuthenticationToken [Principal=org.springframework.security.oauth2.jwt.Jwt@bb8cefc3, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[SCOPE_ROLE_USER]]
Secured GET /admin

Securing GET /admin
Authenticated token
Set SecurityContextHolder to JwtAuthenticationToken [Principal=org.springframework.security.oauth2.jwt.Jwt@bb8cefc3, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[SCOPE_ROLE_USER]]
Secured GET /admin

dan1st•3mo ago

isn't there something before and after? mainly after it

harry039804OP•3mo ago

Nothing after that Before is just basic startup Only other debug thing before it is this

dan1st•3mo ago

And you did logging.level.org.springframework.security=DEBUG?

harry039804OP•3mo ago

2025-01-05T21:44:50.795Z DEBUG 84135 --- [restAPI] [           main] o.s.s.web.DefaultSecurityFilterChain     : Will secure any request with filters: DisableEncodeUrlFilter, WebAsyncManagerIntegrationFilter, SecurityContextHolderFilter, HeaderWriterFilter, LogoutFilter, BearerTokenAuthenticationFilter, BasicAuthenticationFilter, RequestCacheAwareFilter, SecurityContextHolderAwareRequestFilter, AnonymousAuthenticationFilter, SessionManagementFilter, ExceptionTranslationFilter, AuthorizationFilter

yes

dan1st•3mo ago

Can you show the full logs?

harry039804OP•3mo ago

100% debugging because its giving a different output without logging.level.org.springframework.security=DEBUG in application properties. sure hold on

harry039804OP•3mo ago

https://pastebin.com/UQHQmeeV

Pastebin

2025-01-05T21:50:03.184Z INFO 84270 --- [restAPI] [ main...

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.

dan1st•3mo ago

oh you need to enable annotations like @PreAuthorize

harry039804OP•3mo ago

dan1st•3mo ago

I think @EnableMethodSecurity on the main class or the security config

harry039804OP•3mo ago

ah How do you know that lmao? Like you got any links to good documentation

dan1st•3mo ago

remembering https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html#migration-enableglobalmethodsecurity and https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html

harry039804OP•3mo ago

Thank you that sorted it... I did remove that as it was not part of the tutorial I was watching so thought it was useless as the previous tutorial didn't actually explain its purpose... lmao

JavaBot•3mo ago

Post Closed

This post has been closed by <@422471294529962011>.

Gaming

Programming

Springboot ignoring roles

Did you find this page helpful?