0

We are trying to Auhenticate / Authorise our Java Application using Spring Security. Our Identity Provider is a custom OAUTH provider (Manages the user and its Permission) and upon successful authentication will redirect to our application with Access Token (JWT) . The Token is signed using HS256 algorithm and upon sucessfull Decoding we can get all the permissions that is there for the user. Questions is how can I leverage the existing Authorisation framework provided by the Spring Security like JSR250 annotations like @RolesAllowed with the User details which the Spring framework does not holds?

In all the examples I have seen so far the Spring framework manages the UserDetailsService itself where Spring is Aware of the User details.

So question is how can I map the roles that I get in Token to inform Spring framework to apply those roles against @RolesAllowed annotations in the REST endpoints. I believe I have to write some custom implementation of the UserDetailsService ?

  • Are you set on using the `@RolesAllowed` annotation, or could you use something like `@PreAuthorize`? https://docs.spring.io/spring-security/site/docs/5.4.0-M1/reference/html5/#access-control-using-preauthorize-and-postauthorize – Eleftheria Stein-Kousathana Jul 15 '20 at 11:26
  • Yes I am flexible to use @PreAuthorize as well , but is there a way to do this ? – Manish kashyap Jul 15 '20 at 17:27
  • By default Spring Security populates the authorities based on the "scope" claim. If your JWT has the claim `scope=["read"]`, then the authority will be `SCOPE_read` and you can use `@PreAuthorize("hasAuthority('SCOPE_read')")`. See this answer for more details https://stackoverflow.com/a/59394341/11430047 – Eleftheria Stein-Kousathana Jul 16 '20 at 07:26

0 Answers0