Spring Boot HttpSecurity – @PreAuthorize – How to set AuthenticationFilter?

I am currently developing a API Authorization. So basically I have a filter JwtAuthorizationFilter. And in my RestController I want to annotate the request that should be filtered via @PreAuthorize("hasRole('ADMIN')") for example. So my question is now: How do i have to setup the WebSecurityConfigureAdapter (or any other thing) to link the annotations with the JwtAuthorizationFilter?

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        // Basically permit every request, but if needed (through @PreAuthorize) check via JwtAuthorizationFilter)
    }
}

Thank you! Best regards Sebastian

Answer

The purpose of JwtAuthorizationFilter should be to set the Authentication‘s granted authorities. Then, Spring Security’s default method security will suffice.

You have a couple of options:

Use Spring Security’s built-in JWT support

If the JWT is minted by an authorization server, then Spring Security’s default JWT support may suffice. Spring Security ships with BearerTokenAuthenticationFilter and JwtAuthenticationProvider. The filter will parse the Authorization header to get the token and the provider will validate the token and construct an Authentication that’s based on the scope or scp claim. In that case, you’d do something like @PreAuthorize("hasAuthority('SCOPE_ADMIN')").

If you need to customize how to convert JWT claims into GrantedAuthoritys, then you can publish a JwtAuthenticationConverter @Bean.

For complete setup details, take a look at Spring Security’s OAuth 2.0 Resource Server sample. Basically, though, your configuration would look like this:

http
    .authorizeRequests((authz) -> authz
        .anyRequest().authenticated()
    )
    .oauth2ResourceServer((oauth2) -> oauth2
        .jwt(Customizer.withDefaults())
    );

Use Spring Security’s Built-in JWT support without an Authorization Server

Spring Security’s existing support is designed with an authorization server in mind, but this isn’t a requirement.

You can instead have your application mint self-signed tokens.

Roll Your Own

You could keep your JwtAuthorizationFilter, but it’s not clear why Spring Security’s existing support is insufficient. To add a filter, you can simply do addFilterBefore(myFilter, BearerTokenAuthenticationFilter.class). You can take a look at BearerTokenAuthenicationFilter as an example of some of the things you should consider when creating your own filter.