My project is using JDK 8, Spring Boot 2.7.8 (I'm stuck with Java 8). I am successfully using Google OAuth2 for authentication. Users can log into and out of my site. They even have to authenticate to get to a /secure page and that works.
However, when I try to incorporate role and/or authorities, I can only get HTTP 403 errors. I have a database with groups, users, group_members, etc, just like JdbcUserDetailsManager wants, and they're filled with data, as shown below.
How can I get this to work? Below are code snippets.
@Configuration
public class SecurityConfig {
@Autowired
DataSource dataSource;
@Bean
public UserDetailsService userDetailsService() throws Exception {
JdbcUserDetailsManager jdbcUserDetailsManager = new JdbcUserDetailsManager();
jdbcUserDetailsManager.setDataSource(this.dataSource);
return jdbcUserDetailsManager;
}
@Bean
public SecurityFilterChain filterChain(
HttpSecurity http) throws Exception {
http
.cors()
.and()
.csrf().disable()
.authorizeRequests()
.antMatchers("/secure/admin/**").hasAuthority("ADMIN")
.antMatchers("/secure/**").authenticated()
.antMatchers("/**").permitAll()
.antMatchers("/logout").permitAll()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
.and()//
.userDetailsService(userDetailsService())
.oauth2Login()
.loginPage(SecurityController.LOGIN_PAGE_MAPPING)//
.defaultSuccessUrl(SecurityController.LOGIN_SUCCESS_MAPPING)
.failureUrl("/login-failure-page")
.and()
.exceptionHandling()
.accessDeniedPage("/access-denied-page")
.and()
.userDetailsService(userDetailsService())
.logout()
.logoutUrl("/logout")
.clearAuthentication(true)
.invalidateHttpSession(true)
.deleteCookies("JSESSIONID")
.logoutSuccessUrl(SecurityController.LOGOUT_PAGE_MAPPING).permitAll();
// For Firefox and h2-console
http
.headers()
.frameOptions().disable();
return http.build();
}
}
Below are excerpts from the log file.
2023-02-24 09:36:57.391 DEBUG 36STXT2 --- [io-8600-exec-10] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
2023-02-24 09:36:57.391 DEBUG 36STXT2 --- [nio-8600-exec-4] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
2023-02-24 09:36:57.452 DEBUG 36STXT2 --- [nio-8600-exec-5] o.s.s.w.FilterChainProxy : Securing GET /secure/admin/images/ui-bg_highlight-soft_100_deedf7_1x100.png
2023-02-24 09:36:57.452 DEBUG 36STXT2 --- [nio-8600-exec-5] w.c.HttpSessionSecurityContextRepository : Retrieved SecurityContextImpl [Authentication=OAuth2AuthenticationToken [Principal=Name: [...], Granted Authorities: [[ROLE_USER, SCOPE_https://www.googleapis.com/auth/userinfo.email, SCOPE_https://www.googleapis.com/auth/userinfo.profile, SCOPE_openid]], User Attributes: [{at_hash=..., sub=..., email_verified=true, iss=https://accounts.google.com, given_name=..., locale=en, nonce=..., picture=..., aud=[...apps.googleusercontent.com], azp=...apps.googleusercontent.com, name=..., exp=2023-02-24T18:36:54Z, family_name=..., iat=2023-02-24T17:36:54Z, email=...}], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=...], Granted Authorities=[ROLE_USER, SCOPE_https://www.googleapis.com/auth/userinfo.email, SCOPE_https://www.googleapis.com/auth/userinfo.profile, SCOPE_openid]]]
2023-02-24 09:36:57.452 DEBUG 36STXT2 --- [nio-8600-exec-5] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to SecurityContextImpl [Authentication=OAuth2AuthenticationToken [Principal=Name: [...], Granted Authorities: [[ROLE_USER, SCOPE_https://www.googleapis.com/auth/userinfo.email, SCOPE_https://www.googleapis.com/auth/userinfo.profile, SCOPE_openid]], User Attributes: [{at_hash=..., sub=..., email_verified=true, iss=https://accounts.google.com, given_name=..., locale=en, nonce=..., picture=https://lh3.googleusercontent.com/a/AGNmyxZaS0UTnXNuuvQh-HJ6ksu_COG5bFPQj4VZq5X7=s96-c, aud=[411774966392-ct0mr3fbeitc10svg2c3mdotsidprmke.apps.googleusercontent.com], azp=...apps.googleusercontent.com, name=..., exp=2023-02-24T18:36:54Z, family_name=..., iat=2023-02-24T17:36:54Z, email=...}], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=...], Granted Authorities=[ROLE_USER, SCOPE_https://www.googleapis.com/auth/userinfo.email, SCOPE_https://www.googleapis.com/auth/userinfo.profile, SCOPE_openid]]]
2023-02-24 09:36:57.452 DEBUG 36STXT2 --- [nio-8600-exec-5] o.s.w.s.h.SimpleUrlHandlerMapping : Mapped to ResourceHttpRequestHandler [classpath [META-INF/resources/], classpath [resources/], classpath [static/], classpath [public/], ServletContext [/]]
2023-02-24 09:36:57.452 DEBUG 36STXT2 --- [nio-8600-exec-5] o.s.s.w.a.i.FilterSecurityInterceptor : Failed to authorize filter invocation [GET /secure/admin/images/ui-bg_highlight-soft_100_deedf7_1x100.png] with attributes [hasAuthority('ROLE_ADMIN')]
2023-02-24 09:36:57.453 DEBUG 36STXT2 --- [nio-8600-exec-5] o.s.s.w.a.AccessDeniedHandlerImpl : Forwarding to /access-denied-page with status code 403
2023-02-24 09:36:57.453 DEBUG 36STXT2 --- [nio-8600-exec-5] o.s.w.s.DispatcherServlet : "FORWARD" dispatch for GET "/google-sec-demo/access-denied-page", parameters={}
No comments:
Post a Comment