I am currently developing a API Authorization. So basically I have a filter JwtAuthorizationFilter
. And in my RestController I want to annotate the request that should be filtered via @PreAuthorize("hasRole('ADMIN')")
for example. So my question is now: How do i have to setup the WebSecurityConfigureAdapter
(or any other thing) to link the annotations with the JwtAuthorizationFilter?
@Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { // Basically permit every request, but if needed (through @PreAuthorize) check via JwtAuthorizationFilter) } }
Thank you! Best regards Sebastian
Advertisement
Answer
The purpose of JwtAuthorizationFilter
should be to set the Authentication
‘s granted authorities. Then, Spring Security’s default method security will suffice.
You have a couple of options:
Use Spring Security’s built-in JWT support
If the JWT is minted by an authorization server, then Spring Security’s default JWT support may suffice. Spring Security ships with BearerTokenAuthenticationFilter
and JwtAuthenticationProvider
. The filter will parse the Authorization
header to get the token and the provider will validate the token and construct an Authentication
that’s based on the scope
or scp
claim. In that case, you’d do something like @PreAuthorize("hasAuthority('SCOPE_ADMIN')")
.
If you need to customize how to convert JWT claims into GrantedAuthority
s, then you can publish a JwtAuthenticationConverter
@Bean
.
For complete setup details, take a look at Spring Security’s OAuth 2.0 Resource Server sample. Basically, though, your configuration would look like this:
http .authorizeRequests((authz) -> authz .anyRequest().authenticated() ) .oauth2ResourceServer((oauth2) -> oauth2 .jwt(Customizer.withDefaults()) );
Use Spring Security’s Built-in JWT support without an Authorization Server
Spring Security’s existing support is designed with an authorization server in mind, but this isn’t a requirement.
You can instead have your application mint self-signed tokens.
Roll Your Own
You could keep your JwtAuthorizationFilter
, but it’s not clear why Spring Security’s existing support is insufficient. To add a filter, you can simply do addFilterBefore(myFilter, BearerTokenAuthenticationFilter.class)
. You can take a look at BearerTokenAuthenicationFilter
as an example of some of the things you should consider when creating your own filter.