0

I have the following 3 micro-services in place

  • Config Server
  • Auth Server using MongoDB referencing link. I successfully migrated the project from 1.2.4 to 1.3.3
  • User Service. A Rest Controller and a Resource Server with 3 Get methods.(each for ADMIN,MERCHANT and CONSUMER)

I am looking to restrict access to the GET methods of the REST Controller based on the role of the user. The Resource Configuration is as follows

 @Configuration
@EnableResourceServer
public class ResourceServerConfiguration extends ResourceServerConfigurerAdapter {

    @Override 
    public void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
        .antMatchers(HttpMethod.GET, "/**").hasAuthority("ROLE_ADMIN")
            .anyRequest()
                .authenticated();
    }

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
         resources.resourceId("admin-api");
    }
}

To test I am simply trying to lock the User Service for all users except with role ADMIN. However, I get 401 Access Denied. I have also tried hasRole("ADMIN") with same result. If i remove that authorization criteria then the user is rightly authenticated(does not accept wrong access token). The response from userInfoUri of the auth server is as follows

{
  "details": {
    "remoteAddress": "0:0:0:0:0:0:0:1",
    "sessionId": null,
    "tokenValue": "a4244b33-80b2-48db-909d-f8aaaaf45985",
    "tokenType": "Bearer",
    "decodedDetails": null
  },
  "authorities": [
    {
      "authority": "ROLE_ADMIN"
    }
  ],
  "authenticated": true,
  "userAuthentication": {
    "details": null,
    "authorities": [
      {
        "authority": "ROLE_ADMIN"
      }
    ],
    "authenticated": true,
    "principal": "admin@ikarma.com",
    "credentials": null,
    "client": false,
    "name": "admin@ikarma.com"
  },
  "credentials": "",
  "clientOnly": false,
  "oauth2Request": {
    "clientId": "admin-web",
    "scope": [
      "trust",
      "read",
      "write"
    ],
    "requestParameters": {
      "grant_type": "password",
      "username": "admin@ikarma.com"
    },
    "resourceIds": null,
    "authorities": [],
    "approved": true,
    "refresh": false,
    "redirectUri": null,
    "responseTypes": [],
    "extensions": {},
    "refreshTokenRequest": null,
    "grantType": "password"
  },
  "principal": "admin@ikarma.com",
  "name": "admin@ikarma.com"
}

I am not able to figure out why role based authorization is not working. Any help is kindly appreciated.

ionade
  • 1
  • 1
  • 4

2 Answers2

0

Change spring-security-oauth2 dependency to this

<dependency>
<groupId>org.springframework.security.oauth</groupId>
 <artifactId>spring-security-oauth2</artifactId>
 <version>2.0.7.RELEASE</version>
</dependency>
Malike St
  • 16
0

Make sure that the implementation of JWT encode/decode is the same on the both side resource server and auth server. Also please try on the oauth server to create inMemory the 3 users with the 3 roles:

@Configuration
public class BasicSecurityConfig extends WebSecurityConfigurerAdapter {
...
    @Autowired
        public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
            auth.inMemoryAuthentication()
                    .withUser("user").password("user").authorities("read").roles("USER")
                .and()
                    .withUser("admin").password("admin").authorities("read","write").roles("ADMIN");
        }
...
}

Try to receive an access_token for these users and then make a request to the resource server including in request the header Authorization: bearer [access_token] If you will get the same error means that your JWT implementation is not right... Please take a look about JWT here https://bshaffer.github.io/oauth2-server-php-docs/overview/jwt-access-tokens/

RazvanParautiu
  • 2,805
  • 2
  • 18
  • 21