Skip to content
This repository has been archived by the owner on May 31, 2022. It is now read-only.

user's roles or GrantedAuthorities are not wrapped into JwtAuthenticationToken's authorities field #1659

Closed
seelikes opened this issue Apr 11, 2019 · 1 comment
Closed

user's roles or GrantedAuthorities are not wrapped into JwtAuthenticationToken's authorities field #1659

seelikes opened this issue Apr 11, 2019 · 1 comment

Comments

@seelikes
Copy link

Summary

user's roles or GrantedAuthorities are not wrapped into JwtAuthenticationToken's authorities field, so that PreAuthorize with hasRole always return false.

there is only Scope exists below the authorities field of JwtAuthenticationToken.

user's roles or GrantedAuthorities is that which are granted to user itself.

Version

spring-boot-starter-security:2.1.3.RELEASE
@seelikes
Copy link
Author

seelikes commented Apr 12, 2019
edited

I dug into the source code, and found JwtAuthenticationConverter::extractAuthorities which is causing this problem.

protected Collection<GrantedAuthority> extractAuthorities(Jwt jwt) {  
     return this.getScopes(jwt)  
        .stream()  
        .map(authority -> SCOPE_AUTHORITY_PREFIX + authority)  
        .map(SimpleGrantedAuthority::new)  
        .collect(Collectors.toList());  
}

when it comes the time we create AbstractAuthenticationToken, the method here just getScopes of the Jwt, which is losing all the authorities of the claims.

if anyone knows the source code, please help to fix it. I personally think this is a bug without any doubt and should be fixed. or anyone can give me the link of spring-security-oauth2-resource-server with my fully thanks, i can not find it with spring-projects.

@seelikes seelikes mentioned this issue Apr 12, 2019
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@seelikes