solve JwtAuthenticationToken does not contains user's authorities #6772
Conversation
|
@seelikes Please sign the Contributor License Agreement! Click here to manually synchronize the status of this Pull Request. See the FAQ for frequently asked questions. |
|
@seelikes Thank you for signing the Contributor License Agreement! |
|
@seelikes thanks for the PR! While this is a really interesting idea, it's not clear to me that this is a common enough thing to add. Please see #6744 for some ideas on how to extract your |
jzheaux
added
the
status: declined
|
@jzheaux if this is not fixed, PreAuthorize with Jwt can only pass client's authorities. perhaps this is not the proper way to fix it, but the problem still exist somewhere. |
|
i need this function,so sad the commit can't be merged |
|
Note, @seelikes and @goddai, that this can be addressed by configuring the protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests(authz -> authz
// ... configure endpoints
)
.oauth2ResourceServer(oauth2 -> oauth2
.jwt(jwt -> jwt
.jwtAuthenticationConverter(jwtAuthenticationConverter())
)
);
}
JwtAuthenticationConverter jwtAuthenticationConverter() {
JwtGrantedAuthoritiesConverter authorities = new JwtGrantedAuthoritiesConverter();
authorities.setAuthoritiesClaimName("authorities");
JwtAuthenticationConverter converter = new JwtAuthenticationConverter();
converter.setJwtGrantedAuthoritiesConverter(authorities);
return converter;
}I've created a ticket to add this to the reference documentation. Please feel free to indicate if I've misunderstood what you are trying to achieve. |
you can see the bug description here
when one access restful interface guarded by spring-security-oauth2-resource-server with Jwt token, user's own authorities will be lost, so
PreAuthorizeannotation will always fail when guarding user's own authorities.These authorities are granted to the user, regardless of what resource server it is accessing, which client it's using.