HTTP error 403 while using role based authorization

By -

My project is using JDK 8, Spring Boot 2.7.8 (I'm stuck with Java 8). I am successfully using Google OAuth2 for authentication. Users can log into and out of my site. They even have to authenticate to get to a /secure page and that works.

However, when I try to incorporate role and/or authorities, I can only get HTTP 403 errors. I have a database with groups, users, group_members, etc, just like JdbcUserDetailsManager wants, and they're filled with data, as shown below.

Two different users in the database

How can I get this to work? Below are code snippets.

@Configuration
public class SecurityConfig {
  @Autowired
  DataSource dataSource;

  @Bean
  public UserDetailsService userDetailsService() throws Exception {
    JdbcUserDetailsManager jdbcUserDetailsManager = new JdbcUserDetailsManager();

    jdbcUserDetailsManager.setDataSource(this.dataSource);

    return jdbcUserDetailsManager;
  }

  @Bean
  public SecurityFilterChain filterChain(
    HttpSecurity http) throws Exception {

    http
        .cors()
            .and()
        .csrf().disable()
        .authorizeRequests()
            .antMatchers("/secure/admin/**").hasAuthority("ADMIN")
            .antMatchers("/secure/**").authenticated()
            .antMatchers("/**").permitAll()
            .antMatchers("/logout").permitAll()
            .and()
        .sessionManagement()
            .sessionCreationPolicy(SessionCreationPolicy.ALWAYS)    
            .and()//
        .userDetailsService(userDetailsService())
        .oauth2Login()
            .loginPage(SecurityController.LOGIN_PAGE_MAPPING)//
            .defaultSuccessUrl(SecurityController.LOGIN_SUCCESS_MAPPING)
            .failureUrl("/login-failure-page")
            .and()
        .exceptionHandling()
            .accessDeniedPage("/access-denied-page")
            .and()
        .userDetailsService(userDetailsService())
        .logout()
            .logoutUrl("/logout")
            .clearAuthentication(true)
            .invalidateHttpSession(true)
            .deleteCookies("JSESSIONID")
        .logoutSuccessUrl(SecurityController.LOGOUT_PAGE_MAPPING).permitAll();

    // For Firefox and h2-console
    http
        .headers()
            .frameOptions().disable();

    return http.build();
  }
}

Below are excerpts from the log file.

2023-02-24 09:36:57.391 DEBUG 36STXT2 --- [io-8600-exec-10] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
2023-02-24 09:36:57.391 DEBUG 36STXT2 --- [nio-8600-exec-4] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
2023-02-24 09:36:57.452 DEBUG 36STXT2 --- [nio-8600-exec-5] o.s.s.w.FilterChainProxy                 : Securing GET /secure/admin/images/ui-bg_highlight-soft_100_deedf7_1x100.png
2023-02-24 09:36:57.452 DEBUG 36STXT2 --- [nio-8600-exec-5] w.c.HttpSessionSecurityContextRepository : Retrieved SecurityContextImpl [Authentication=OAuth2AuthenticationToken [Principal=Name: [...], Granted Authorities: [[ROLE_USER, SCOPE_https://www.googleapis.com/auth/userinfo.email, SCOPE_https://www.googleapis.com/auth/userinfo.profile, SCOPE_openid]], User Attributes: [{at_hash=..., sub=..., email_verified=true, iss=https://accounts.google.com, given_name=..., locale=en, nonce=..., picture=..., aud=[...apps.googleusercontent.com], azp=...apps.googleusercontent.com, name=..., exp=2023-02-24T18:36:54Z, family_name=..., iat=2023-02-24T17:36:54Z, email=...}], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=...], Granted Authorities=[ROLE_USER, SCOPE_https://www.googleapis.com/auth/userinfo.email, SCOPE_https://www.googleapis.com/auth/userinfo.profile, SCOPE_openid]]]
2023-02-24 09:36:57.452 DEBUG 36STXT2 --- [nio-8600-exec-5] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to SecurityContextImpl [Authentication=OAuth2AuthenticationToken [Principal=Name: [...], Granted Authorities: [[ROLE_USER, SCOPE_https://www.googleapis.com/auth/userinfo.email, SCOPE_https://www.googleapis.com/auth/userinfo.profile, SCOPE_openid]], User Attributes: [{at_hash=..., sub=..., email_verified=true, iss=https://accounts.google.com, given_name=..., locale=en, nonce=..., picture=https://lh3.googleusercontent.com/a/AGNmyxZaS0UTnXNuuvQh-HJ6ksu_COG5bFPQj4VZq5X7=s96-c, aud=[411774966392-ct0mr3fbeitc10svg2c3mdotsidprmke.apps.googleusercontent.com], azp=...apps.googleusercontent.com, name=..., exp=2023-02-24T18:36:54Z, family_name=..., iat=2023-02-24T17:36:54Z, email=...}], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=127.0.0.1, SessionId=...], Granted Authorities=[ROLE_USER, SCOPE_https://www.googleapis.com/auth/userinfo.email, SCOPE_https://www.googleapis.com/auth/userinfo.profile, SCOPE_openid]]]
2023-02-24 09:36:57.452 DEBUG 36STXT2 --- [nio-8600-exec-5] o.s.w.s.h.SimpleUrlHandlerMapping        : Mapped to ResourceHttpRequestHandler [classpath [META-INF/resources/], classpath [resources/], classpath [static/], classpath [public/], ServletContext [/]]
2023-02-24 09:36:57.452 DEBUG 36STXT2 --- [nio-8600-exec-5] o.s.s.w.a.i.FilterSecurityInterceptor    : Failed to authorize filter invocation [GET /secure/admin/images/ui-bg_highlight-soft_100_deedf7_1x100.png] with attributes [hasAuthority('ROLE_ADMIN')]
2023-02-24 09:36:57.453 DEBUG 36STXT2 --- [nio-8600-exec-5] o.s.s.w.a.AccessDeniedHandlerImpl        : Forwarding to /access-denied-page with status code 403
2023-02-24 09:36:57.453 DEBUG 36STXT2 --- [nio-8600-exec-5] o.s.w.s.DispatcherServlet                : "FORWARD" dispatch for GET "/google-sec-demo/access-denied-page", parameters={}


Comments

Post a Comment

Popular posts from this blog

Today Walkin 14th-Sept

By -
Image
14th Sept 2017 ( GO Through all List) Read Walkin details properly , Try to call company before attending if possible !!! ==================================== 1. Myntra through fresherworld (Call Based , Venue shared to shortlisted candidates) _____________________________ 2. Magna : Hiring for Client Harman : C++
Read more

Hibernate Search - Elasticsearch with JSON manipulation

By -
Elasticsearch with JSON manipulation Elasticsearch ships with many features. It is possible that at some point, one feature you need will not be exposed by the Search DSL. To work around such limitations, Hibernate Search provides ways to: Transform the HTTP request sent to Elasticsearch for search queries. Read the raw JSON of the HTTP response received from Elasticsearch for search queries. Direct changes to the HTTP request may conflict with Hibernate Search features and be supported differently by different versions of Elasticsearch. Similarly, the content of the HTTP response may change depending on the version of Elasticsearch, depending on which Hibernate Search features are used, and even depending on how Hibernate Search features are implemented. Thus, features relying on direct access to HTTP requests or responses cannot be guaranteed to continue to work when upgrading Hibernate Search, even for micro upgrades (x.y.z to x.y.(z+1)). Use this at your own risk.
Read more

Spring Elasticsearch Operations

By -
Elasticsearch Operations Spring Data Elasticsearch uses two interfaces to define the operations that can be called against an Elasticsearch index. These are ElasticsearchOperations and ReactiveElasticsearchOperations. Whereas the first is used with the classic synchronous implementations, the second one uses reactive infrastructure. The default implementations of the interfaces offer: Read/Write mapping support for domain types. A rich query and criteria api. Resource management and Exception translation. ElasticsearchTemplate The ElasticsearchTemplate is an implementation of the ElasticsearchOperations interface using the Transport Client. @Configuration public class TransportClientConfig extends ElasticsearchConfigurationSupport {   @Bean   public Client elasticsearchClient() throws UnknownHostException {                      Settings settings = Settings.builder().put("cluster.name", "elasticsearch").build();     TransportClient client = new P
Read more