Thanks for your post. I was also surprised how little code that was necessary in order to do authentication and fetch user information from my provider's userinfo endpoint, but there is one crucial thing I cannot understand. How do I protect my application using such rules:
.antMatchers("/user/**").hasRole("USER")
ROLE_USER should be added by default, but Spring security is responding with 403/forbidden if I go to my protected page /user/index.html after successful authentication. I guess there is something I have misunderstood.
I have tried to map the roles by using a userAuthoritiesMapper, but it doesn't help much. If I try to write out the authorities after authentication, this is what I get (and notice the ROLE_USER which is actually present):
Hi,
Thank you for the response, I hope you already went through this.
The distinction between Role and Authority is subtle as explained here, without looking into your userAuthoritiesMapper, I cannot be sure. It would be helpful if you can share your code , for me to have a look at it.
Thanks for your reply and your willingness to help. Actually it works after I changed .antMatchers("/user/", "/user/index.html") to .antMatchers("/user/**").
Since our old SAML2.0-based application needs a UserDetails object, do you have any suggestions how to proceed? My thoughts is to configure the following to map authorities and to return a UserDetails object which implements OAuth2UserService<OidcUserRequest, OidcUser>.
The latter question is just meant as a contribution to the discussion, not something I need help to implement. Using a UserDetails object is very usual in Spring Security, but the documentation does not mention this strategy.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Thanks for your post. I was also surprised how little code that was necessary in order to do authentication and fetch user information from my provider's userinfo endpoint, but there is one crucial thing I cannot understand. How do I protect my application using such rules:
ROLE_USER should be added by default, but Spring security is responding with 403/forbidden if I go to my protected page /user/index.html after successful authentication. I guess there is something I have misunderstood.
Here's part of my security config:
I have tried to map the roles by using a userAuthoritiesMapper, but it doesn't help much. If I try to write out the authorities after authentication, this is what I get (and notice the ROLE_USER which is actually present):
Hi,
Thank you for the response, I hope you already went through this.
The distinction between
Role
andAuthority
is subtle as explained here, without looking into your userAuthoritiesMapper, I cannot be sure. It would be helpful if you can share your code , for me to have a look at it.Thanks for your reply and your willingness to help. Actually it works after I changed
.antMatchers("/user/", "/user/index.html")
to.antMatchers("/user/**")
.Since our old SAML2.0-based application needs a UserDetails object, do you have any suggestions how to proceed? My thoughts is to configure the following to map authorities and to return a UserDetails object which implements
OAuth2UserService<OidcUserRequest, OidcUser>
.The latter question is just meant as a contribution to the discussion, not something I need help to implement. Using a UserDetails object is very usual in Spring Security, but the documentation does not mention this strategy.