Giters

eugenp / tutorials

Just Announced - "Learn Spring Security OAuth":

Home Page:http://bit.ly/github-lsso

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

hasRole not checked

Hans-MartinHannibalLauridsen opened this issue · comments

commented

Article https://www.baeldung.com/spring-boot-keycloak
Module https://github.com/eugenp/tutorials/tree/master/spring-boot-modules/spring-boot-keycloak

I attempted to morph this into Kotlin and Spring Boot 3 using org.springframework.boot:spring-boot-gradle-plugin:3.0.6

The oauth2login works like a charm and can even set up a resource server validating JWT tokens, which all works fine, however the security filter does not seem to work as described in the article. Adding the second security filter does not provide additional JWT validation, it seems to be simply ignored once the oauth2login as done its authentication step.

Any user authenticated by the oauth2login gets access top the /customer* endpoint event though they does not have role "USER".
`
@configuration
@EnableWebSecurity
class WebSecurityConfiguration(private val keycloakLogoutHandler: KeycloakLogoutHandler?) {

@Order(1)
@Bean
fun filterChain(http: HttpSecurity): SecurityFilterChain {
    http.authorizeHttpRequests()
        .requestMatchers("/", "/css/landing/**", "/favicon.png").permitAll()
        .anyRequest().authenticated()

    http.oauth2Login()
        .and()
        .logout()
        .addLogoutHandler(keycloakLogoutHandler)
        .logoutSuccessUrl("/");

    return http.build()
}

@Order(2)
@Bean
fun resourceServerFilterChain(http: HttpSecurity): SecurityFilterChain {
    http.authorizeHttpRequests()
        .requestMatchers("/customer*").hasRole("USER")
        .anyRequest().authenticated()

        .and()
        .oauth2ResourceServer { obj: OAuth2ResourceServerConfigurer<HttpSecurity> -> obj.jwt() }
    return http.build()
}

@Bean
fun authenticationManager(http: HttpSecurity): AuthenticationManager {
    return http.getSharedObject(AuthenticationManagerBuilder::class.java)
        .build()
}

@Bean
fun sessionAuthenticationStrategy(): SessionAuthenticationStrategy? {
    return RegisterSessionAuthenticationStrategy(SessionRegistryImpl())
}

}
`

I would have expected that the second resource server filter would JWT validation as described in the article but it does not seem to be triggered.

commented

Hey, @Hans-MartinHannibalLauridsen.

Unfortunately, we can only help with questions that are specifically and directly related to the article - not with your own, custom modifications.

StackOverflow is a great place to ask more general questions.

That's primarily because we get a large number of questions and - while we do try to go through as much as everything and help wherever we can, we can't really get back to all of them.

Hope that makes sense.