we are using springboot 3.+ and spring 6+ and spring security 6+. the java spring bott quik start version for spring boot 3 is not available. i checked spring documentaation to validate and authorize token at backend. token validation is working but each endpoints with speicific permission/authority is not working. below is the token and java code. help me solve the issue.
if correct token exist(signature), all end points are accessible and not checking authority to specific endpoint.
1.sample test token(permissions claim contains the permissions check in jwt.io):
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InR1c0xDdUdqLUZIa0tqekVYdGFxYyJ9.eyJpc3MiOiJodHRwczovL3Zhbm5hYXV0aDAtZGV2LnVzLmF1dGgwLmNvbS8iLCJzdWIiOiJhdXRoMHw2NTMyNjlkOTdhMjNhN2I1NzVmMzRkNmMiLCJhdWQiOlsiaHR0cHM6Ly9teWFwcGFwaXNlY29uZC5leGFtcGxlIiwiaHR0cHM6Ly92YW5uYWF1dGgwLWRldi51cy5hdXRoMC5jb20vdXNlcmluZm8iXSwiaWF0IjoxNjk4MzMwMDM5LCJleHAiOjE2OTg0MTY0MzksImF6cCI6Ik5KRk9vTDcxazJCcnpkYk5hbklsNEl1bHIxdkt0dUdKIiwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsInBlcm1pc3Npb25zIjpbImNyZWF0ZTp0aW1lc2hlZXRzIiwiZGVsZXRlOnRpbWVzaGVldHMiLCJyZWFkOnRpbWVzaGVldHMiXX0.HJRzCz5UwaLp8ggpIBCw2CEn3M6GpXsv2n1Nv3c8SthcENbKncDWBwLALRhDf0Y-CKTOy1gXxv_cyKtY0LMeMEdbmFxjZguUrIvhRJ8QSLKLgRs6vGd-QbB58pO44eoOnCkmgnCNQoLqv1gkjMV1l8rTw_E0Rpa6Nk2nL3PddhlJ8uo2yFgkSLnfN9mv-2O2yhpfNrq2fbUGkNaGFrxCR1cgf–mYUotUoLoNOjawhGPP2Yw_JR4PONWtfC3rQbUu5S-haTA3yX2AyMV-mRQt1UDQkzx8kVIMJBDs2dzmJUaqbQqLjJtX4GBfMqHYhdDZF9hTw0Rx7yIIjTXxsYGJQ
2.java spring boot code:
package com.vanna.auth0api.configuration;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtDecoders;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;
import org.springframework.security.web.SecurityFilterChain;
@EnableWebSecurity
public class SecurityConfig {
@Value("${spring.security.oauth2.resourceserver.jwt.issuer-uri}")
private String issuerUri;
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests(authorize -> authorize
.requestMatchers("/create-timesheet/**").hasAuthority("PERMISSIONS_create:timesheets")
.requestMatchers("/read-timesheet/**").hasAuthority("PERMISSIONS_read:timesheets")
.requestMatchers("/delete-timesheet/**").hasAuthority("PERMISSIONS_delete:timesheets")
.requestMatchers("/approve-timesheet/**").hasAuthority("PERMISSIONS_approve:timesheets")
.anyRequest().authenticated()
)
.oauth2ResourceServer(oauth2 -> oauth2
.jwt(jwt -> jwt
.jwtAuthenticationConverter(jwtAuthenticationConverter())
)
);
return http.build();
}
@Bean
public JwtDecoder jwtDecoder() {
return NimbusJwtDecoder.withIssuerLocation(issuerUri).build();
}
@Bean
public JwtAuthenticationConverter jwtAuthenticationConverter() {
JwtGrantedAuthoritiesConverter grantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter();
grantedAuthoritiesConverter.setAuthoritiesClaimName("permissions");
grantedAuthoritiesConverter.setAuthorityPrefix("PERMISSIONS_");
JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(grantedAuthoritiesConverter);
return jwtAuthenticationConverter;
}
}