Spring Security Expression Baed Access Control with JwtAuthenticationToken

Question

I'm working on an RESTful sevice that uses spring-boot-starter-oauth2-resource-server for security. It has some complex endpoint authorization requirements that involve decisions based not just on roles but on other claims in the JWT like location. So the HttpSecurity config's hasRole is not enough.

Is there a way to use values from the JwtAuthenticationToken with Sprng Security's expression baed access control and the HttpSecurity's access(String attribute) method? Or is there some other way to integrate different claims into endpoint authorization?

Any advice wuld be much appreciated

score 2 · Accepted Answer · answered Jul 14 '20 at 10:46

You have access to the Authentication object using SPEL, so expressions like:

authentication.token.claims['preferred_username'] == ......

I have used it in methods: e.g.

PreAuthorize("#createSupportQueryRequest.username == authentication.token.claims['preferred_username']")
public void createNewQuery(@RequestBody CreateSupportQueryRequest createSupportQueryRequest) {

But it should also work in .access method.

For more complicated stuff you can reference a bean class thats in your context in the expressions using the @. e.g.

.access("@isPortfolioOwnerOrAdmin.check()")

This will call the check method on the IsPortfolioOwnerOrAdmin class.

Your bean class has access to the token via the SecurityConect and you can perform your complex verification logic there and return either true or false.

Spring Security Expression Baed Access Control with JwtAuthenticationToken

1 Answers1