Spring boot 1.5.4 oauth2 Resource Server with Spring boot 1.2.4 oauth2 authorization server

Question

I am new to Spring boot and Spring oauth2 and somehow after googling got examples using spring boot 1.2.4 with mongodb. The following are the setup:

• Spring boot 1.2.4 and Spring oauth2 2.0.7 for Authorization Server

• Spring boot 1.5.4 and spring oauth2 2.0.7 for Resource Server

The controller code snippet for Resource Server is as below :

@RequestMapping("/hello")
@ResponseBody
@PreAuthorize("hasRole('Dev')")
//@PreAuthorize("hasRole('Dev')")
public String helloWorld() {
    return "Hello World.";
}

When resource and authorization servers were spring boot 1.2.4 authorization were working FINE but with different versions it seems to be incompatible, as it throws an error :

{
"error": "access_denied",
"error_description": "Access is denied"
}  

When i put the logging in 1.5.4 this is the log result :

      2017-06-28 23:25:13 [http-nio-8081-exec-1] DEBUG o.s.s.a.i.a.MethodSecurityInterceptor - Secure object: ReflectiveMethodInvocation: public java.lang.String st.malike.auth.client.http.DemoController.helloWorld(); target is of class [st.malike.auth.client.http.DemoController]; Attributes: [[authorize: '#oauth2.throwOnError(hasRole('Dev'))', filter: 'null', filterTarget: 'null']]
     2017-06-28 23:25:13 [http-nio-8081-exec-1] DEBUG o.s.s.a.i.a.MethodSecurityInterceptor - Previously Authenticated: org.springframework.security.oauth2.provider.OAuth2Authentication@1c32aba2: Principal: null; Credentials: [PROTECTED]; Authenticated: true; Details: remoteAddress=0:0:0:0:0:0:0:1, tokenType=BearertokenValue=<TOKEN>; Granted Authorities: Dev
   2017-06-28 23:25:13 [http-nio-8081-exec-1] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter@6d6b90, returned: -1
   2017-06-28 23:25:13 [http-nio-8081-exec-1] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.RoleVoter@1deeabb9, returned: 0
   2017-06-28 23:25:13 [http-nio-8081-exec-1] DEBUG o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.AuthenticatedVoter@1c3cd0b, returned: 0
   2017-06-28 23:25:13 [http-nio-8081-exec-1] DEBUG o.s.b.f.s.DefaultListableBeanFactory - Returning cached instance of singleton bean 'delegatingApplicationListener'
     2017-06-28 23:25:13 [http-nio-8081-exec-1] DEBUG o.s.w.s.m.m.a.ExceptionHandlerExceptionResolver - Resolving exception from handler [public java.lang.String st.malike.auth.client.http.DemoController.helloWorld()]: org.springframework.security.access.AccessDeniedException: Access is denied
   2017-06-28 23:25:13 [http-nio-8081-exec-1] DEBUG o.s.w.s.m.a.ResponseStatusExceptionResolver - Resolving exception from handler [public java.lang.String st.malike.auth.client.http.DemoController.helloWorld()]: org.springframework.security.access.AccessDeniedException: Access is denied
  2017-06-28 23:25:13 [http-nio-8081-exec-1] DEBUG o.s.w.s.m.s.DefaultHandlerExceptionResolver - Resolving exception from handler [public java.lang.String st.malike.auth.client.http.DemoController.helloWorld()]: org.springframework.security.access.AccessDeniedException: Access is denied
    2017-06-28 23:25:13 [http-nio-8081-exec-1] DEBUG o.s.web.servlet.DispatcherServlet - Could not complete request
   org.springframework.security.access.AccessDeniedException: Access is denied

Now I know the line is causing trouble in Spring-boot-1.5.3

  o.s.s.access.vote.AffirmativeBased - Voter: org.springframework.security.access.prepost.PreInvocationAuthorizationAdviceVoter@6d6b90, returned: -1

Please help how to make authorizations with the above setups or how to make the authorization work.

Answer 1

I changed spring-security version to 3.2.10.RELEASE in Resource Server with spring-boot 1.5.3 , all working fine. It seems that spring-security logic in 4.x is changed and is not compatible.