I am trying to get Spring method security running and I have to following problems with my token.
It looks like this (Access Token, after calling check_token on the AuthServer):
There are nine authorities. BUT......if I try to check like this:
I get the following error:
<ForbiddenException>
<error>access_denied</error>
<error_description>Zugriff verweigert</error_description>
</ForbiddenException>
When I try that:
It works fine.
So I debugged without the Annotation in order to look into the Authentification parameter that a use in the method signature. And I found out that there is only the last authority in the list.
I think that this is the problem and the reason why it only works when I check for "delete_user" and not for all the other authorities that are in the access token.
Does anybody have an idea why there are all authorities in the token but Spring only has the last one added in the Authentification object?
UPDATE
I dived very deep with debugging and I think I found the problem, but still dont know how to fix it.
Before doing the auth spring calls the "check_token"-Api of my auth-server. And the reponse actually looks looke like in the screenshot above -> "authorities" is a list of String.
BUT..... Spring uses Jackson to convert the whole token-content to a map. But it converts als lists to a single string, which then always is the last value. The problematic line of code should be that:
There is no typescriptor (should be array) set, so that jackson takes it as a single string.
Spring uses jackson-databind-2.11.0
Any Idea how that could be fixed?
