Hi Team,
I am working on migrating my application from spring 5 to spring (6.0.2) .
After doing changes to pom(moving most of the jars from javax to Jakarta), I am able to deploy my application in cf with sap_java_buildpack_jakarta.
Below is the SecurityConfiguration class (a portion of it shared here).
This is giving 403 always. I have validated the jwt token and authorities and scopes from jwt decoder. all are as expected. even then if I use requestMatchers method with any http method it is always giving 403.
only permitAll() is allowing to pass the call.
can someone help me to understand why this is working fine with spring 5 and why it is giving 403 in spring 6.0.2?
and any solution to fix this?
--------------SecurityConfiguration-----
@EnableWebSecurity
public class SecurityConfiguration {
private final Logger logger = LoggerFactory.getLogger(SecurityConfiguration.class);
@Autowired
XsuaaServiceConfiguration xsuaaServiceConfiguration;
@Bean
public SecurityFilterChain filterChain(final HttpSecurity http) throws Exception {
final String brokerPlanXSAppName = xsuaaServiceConfiguration.getAppId();
http.sessionManagement(management -> management
// session is created by app router
.sessionCreationPolicy(SessionCreationPolicy.NEVER))
// CSRF handling is done by app router (if one is used)
.csrf(CsrfConfigurer::disable)
// demand specific scopes depending on intended request
.authorizeHttpRequests(auth -> auth.requestMatchers(HttpMethod.GET, "/rest/computation/keyMetrics")
.hasAnyAuthority("VIEW_DATA_ACQ_ERRORLOG")
// deny any other end points
.anyRequest().denyAll())
.oauth2ResourceServer(server -> server.jwt().jwtAuthenticationConverter(getJwtAuthoritiesConverter()));
return http.build();
}
private Converter<Jwt, AbstractAuthenticationToken> getJwtAuthoritiesConverter() {
final TokenAuthenticationConverter converter = new TokenAuthenticationConverter(xsuaaServiceConfiguration);
converter.setLocalScopeAsAuthorities(false);
return converter;
}
@Bean
@Scope(value = WebApplicationContext.SCOPE_REQUEST, proxyMode = ScopedProxyMode.TARGET_CLASS)
public Token userInfo() {
return SpringSecurityContext.getToken();
}
@Bean
public IUserInfoProvider userInfoProvider() {
return new UserInfoProvider();
}
@Bean
public XsuaaCredentials xsuaaCredentials() {
final VcapServiceReader vcapServicesReader = VcapServiceReader.getInstance();
final String uaaUrl = (String) vcapServicesReader.getAttribute(EnvironmentConstants.XSUAA_BROKER_SERVICE_NAME,
EnvironmentConstants.ENV_URL);
final String clientId = (String) vcapServicesReader.getAttribute(EnvironmentConstants.XSUAA_BROKER_SERVICE_NAME,
EnvironmentConstants.CLIENTID);
final String clientSecret = (String) vcapServicesReader.getAttribute(EnvironmentConstants.XSUAA_BROKER_SERVICE_NAME,
EnvironmentConstants.CLIENTSECRET);
final String uaaDomain = (String) vcapServicesReader.getAttribute(EnvironmentConstants.XSUAA_BROKER_SERVICE_NAME,
EnvironmentConstants.UAA_DOMAIN);
final String xsAppName = (String) vcapServicesReader.getAttribute(EnvironmentConstants.XSUAA_BROKER_SERVICE_NAME,
EnvironmentConstants.XSAPPNAME);
final XsuaaCredentials credentials = new XsuaaCredentials();
credentials.setClientId(clientId);
credentials.setClientSecret(clientSecret);
credentials.setUrl(uaaUrl);
credentials.setUaaDomain(uaaDomain);
credentials.setXsAppName(xsAppName);
return credentials;
}
@Bean
public XsuaaServiceConfiguration customXsuaaConfig(final XsuaaCredentials xsuaaCredentials) {
return new XsuaaServiceConfigurationCustom(xsuaaCredentials);
}
@Bean
JwtDecoder jwtDecoder(final XsuaaServiceConfiguration customXsuaaServiceConfiguration, final XsuaaCredentials xsuaaCredentials) {
return new XsuaaJwtDecoderBuilder(customXsuaaServiceConfiguration).build();
}
}
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.