Security - Implementation

[vivdso]

Thanks for putting this online, I did try to implement this in my project, Sending JWT tokens as my Header.
for some reason, I am getting 403 forbidden error. I am not sure, what I am doing wrong or if I am missing any configuration. I have put the project on git hub, If someone can point me what the issue is.
https://github.com/vivdso/SpringAuthentication

Please assist.

[szerhusenBC]

Please give some more information. Which request returns the 403?

Take a look at your WebSecurityConfig. There are some things missing that I have in my WebSecurityConfigurerAdapter. Perhaps you get a better understanding of how this demo works if you take a look at the video I linked in the Readme.

[vivdso]

Sure, I will look at it.
Any API call fails, I have two of them below is the API calls

http://localhost:8080/auth method post Content-Type appliction/json body:{"username":"user","password":"sample"} Response should be a jwt token

Try the autheticated url: http://localhost:8080/order
Header "Authorization":"{$jwtToken from previous step}"
Actual Result: :( Error : 403 forbidden, this should be fully authenticated and should let the user access this api.
Expected Result: "Hello here is my order"

[jsbUSMC]

Shouldn't the header be set to:

Authorization: Bearer {$jwtToken}

I'm not sure if this detail is important or not, but from my understanding of the specification, JWTs should be declared as Bearer tokens in the Authorization header.

[szerhusenBC]

I didn't find the need of the bearer scheme in any specification but it seems to me that it is the typical way to mark a bearer token. I will adapt it to the project with another ticket.

[tandrew]

The current version did not work for me when trying to access it from another domain. It produced the following error:

Failed to load http://localhost:8080/auth: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8081' is therefore not allowed access.

I spent quite some time figuring out what to do here. I found a solution and have added this to WebSecurityConfig.java:

This then fixed it for me:

@Bean
   public CorsFilter corsFilter() {

       UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
       CorsConfiguration config = new CorsConfiguration();
       config.setAllowCredentials(true); // you USUALLY want this
       config.addAllowedOrigin("*");
       config.addAllowedHeader("*");
       config.addAllowedMethod("OPTIONS");
       config.addAllowedMethod("HEAD");
       config.addAllowedMethod("GET");
       config.addAllowedMethod("PUT");
       config.addAllowedMethod("POST");
       config.addAllowedMethod("DELETE");
       config.addAllowedMethod("PATCH");
       source.registerCorsConfiguration("/**", config);
       return new CorsFilter(source);
   }

Credit to: https://stackoverflow.com/questions/36809528/spring-boot-cors-filter-cors-preflight-channel-did-not-succeed

Thought I'd share as CORS issues seem to be pretty common all around.

[szerhusenBC]

@tandrew Thanks for sharing your solution!

Here's another possibility from a Spring guide: https://spring.io/guides/gs/rest-service-cors/