harry039804
harry039804
PostsComments
JCHJava Community | Help. Code. Learn.
Created by harry039804 on 1/5/2025 in #java-help
Springboot ignoring roles
I am new to springboot and decided to follow a tutorial on how to create a JWT RestApi with it. Upon doing this I noticed that it now completely ignores my @PreAuthorize annotations. In a rest controller class: 
    @PreAuthorize("hasRole('ADMIN')")
    @GetMapping("/admin")
    public String test() {
        return "Hello admin";
    }
    @PreAuthorize("hasRole('ADMIN')")
    @GetMapping("/admin")
    public String test() {
        return "Hello admin";
    }
My SecurityFilterChain in my securityConfiguration class: 
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .csrf(csrf -> csrf.disable())
                .authorizeHttpRequests(authorize -> authorize
                        .anyRequest().authenticated()
                )
                .oauth2ResourceServer((oauth2) -> oauth2.jwt(Customizer.withDefaults()))
                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .httpBasic(Customizer.withDefaults());
        return http.build();
    }
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .csrf(csrf -> csrf.disable())
                .authorizeHttpRequests(authorize -> authorize
                        .anyRequest().authenticated()
                )
                .oauth2ResourceServer((oauth2) -> oauth2.jwt(Customizer.withDefaults()))
                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .httpBasic(Customizer.withDefaults());
        return http.build();
    }
45 replies
JCHJava Community | Help. Code. Learn.
Created by harry039804 on 1/4/2025 in #java-help
Spring boot security
So I am new to SpringBoot security and have tried searching this but have not managed to find any concrete answers. Upon authorising HTTP requests in the SecurityFilterChain class it has .formLogin() and .httpBasic(). I was wondering what is the difference between these two? Should I use both or just one of them? What circumstances should I use either or in? I am aware that .formLogin() creates a HTML log in page but apart from that what is the difference with these?
4 replies