Home / Questions / 332397
Accepted
EduBw
Asked: 2020-02-27 02:52:02 +0800 CST 2020-02-27 02:52:02 +0800 CST

AccessDeniedException in JWT token Springboot

  • 772

I have created an authentication system in Springboot, which checks the user, if it exists, I create a jwt token that is sent to the front and the front returns it to make requests, this token has the role incorporated.

private static final String AUTHORITIES_KEY = "auth";

static void addAuthentication(HttpServletResponse res, Authentication authentication) {

   String token = Jwts.builder()
    .setSubject(authentication.getName())

    .setExpiration(new Date(System.currentTimeMillis() + timeout))

    .signWith(SignatureAlgorithm.HS512, key)
    .claim(AUTHORITIES_KEY, authentication.getAuthorities()) // El rol es "ROLE_Consulta"
    .compact();
    res.addHeader("Authorization", "Bearer " + token);

}

For the user I'm using, his role is query, so I add in the controller:

@Secured("ROLE_Consulta")

So when I send the token from the front, I try to decompose it to create the user to access the system:

**EDITO:**

static Authentication getAuthentication(HttpServletRequest request) {
        // Obtenemos el token que viene en el encabezado de la peticion
    String token = request.getHeader("Authorization");

    // si hay un token presente, entonces lo validamos
    if (token != null) {
        String user = Jwts.parser()
                .setSigningKey(key)
                .parseClaimsJws(token.replace("Bearer", "")) // este metodo es el que valida
                .getBody().getSubject();

             Claims claims = Jwts.parser()
                        .setSigningKey(key)
                        .parseClaimsJws(token.replace("Bearer", "")) 
                        .getBody();

             Collection authorities  = Arrays.stream(claims.get(AUTHORITIES_KEY).toString().split(","))
                            .map(SimpleGrantedAuthority::new)
                            .collect(Collectors.toList());

        return user != null ? new UsernamePasswordAuthenticationToken(user, null, authorities) : null;
    }
    return null;
}

}

enter image description here

As you can see in the image, I have the ROLE_Query role, but I get the AccessDeniedException error.

"status": 403,
"error": "Forbidden",
"exception": "org.springframework.security.access.AccessDeniedException",
"message": "Acceso denegado",
java

1 Answers

  1. Best Answer

    I've solved it by decomposing the authorities and getting the role and then inserting a different class than the UsernamePasswordAuthenticationToken, It's not very elegant, but it works.

             Claims claims = Jwts.parser()
                    .setSigningKey(key)
                    .parseClaimsJws(token.replace("Bearer", "")) // este metodo es el que valida
                    .getBody();
         String user = claims.get("sub").toString();
         Collection authorities  = Arrays.stream(claims.get(AUTHORITIES_KEY).toString().split(","))
                        .map(SimpleGrantedAuthority::new)
                        .collect(Collectors.toList());

        String rol = "forbidden";

        for (Iterator iterator = authorities.iterator(); iterator.hasNext();) {
            SimpleGrantedAuthority type = (SimpleGrantedAuthority) iterator.next();   
            rol = type.getAuthority();
        }


        String[] splitRol = rol.split("=");
        rol = splitRol[1];
        rol = rol.substring(0, rol.length() -2);

        List<GrantedAuthority> grantedAuths = new ArrayList<GrantedAuthority>();
        grantedAuths.add(new SimpleGrantedAuthority(rol));

    // Recordamos que para las demás peticiones que no sean /login
    // no requerimos una autenticacion por username/password
    // por este motivo podemos devolver un UsernamePasswordAuthenticationToken sin
    // password
    return user != null ? new UsernamePasswordAuthenticationToken(user, null, grantedAuths) : null;
    • 0