Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Missing @EnableReactiveMethodSecurity #11

Open
RalfLackinger opened this issue Sep 4, 2019 · 0 comments
Open

Missing @EnableReactiveMethodSecurity #11

RalfLackinger opened this issue Sep 4, 2019 · 0 comments

Comments

@RalfLackinger
Copy link

First off thank you for this great example.

I think you forgot to add the @EnableReactiveMethodSecurity annotation on your SecuredRestApplication. I was playing around a bit with your code and removing the ADMIN role from the user setup did not prevent me from accessing the /api/admin endpoint.

@Bean
public MapReactiveUserDetailsService userDetailsRepository() {
	UserDetails user = User.withDefaultPasswordEncoder()
	                       .username("user")
	                       .password("user")
	                       .roles("USER")
	                       .build();
	return new MapReactiveUserDetailsService(user);
}

Then I generated a new token Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyIiwicm9sZXMiOiJST0xFX1VTRVIiLCJpc3MiOiJyYXBoYS5pbyIsImV4cCI6MTU2NzY3OTY3OX0.C67PZ_YX2Zm1_YDMnVgqoxNXCEd4iKOhTM9EdiEA5WI (content can be checked via https://jwt.io/ and verified with the default secret of your app).

This will then still allow me to call the admin endpoint:

$ http -v :8080/api/admin "Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyIiwicm9sZXMiOiJST0xFX1VTRVIiLCJpc3MiOiJyYXBoYS5pbyIsImV4cCI6MTU2NzY3OTY3OX0.C67PZ_YX2Zm1_YDMnVgqoxNXCEd4iKOhTM9EdiEA5WI"
GET /api/admin HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyIiwicm9sZXMiOiJST0xFX1VTRVIiLCJpc3MiOiJyYXBoYS5pbyIsImV4cCI6MTU2NzY3OTY3OX0.C67PZ_YX2Zm1_YDMnVgqoxNXCEd4iKOhTM9EdiEA5WI
Connection: keep-alive
Host: localhost:8080
User-Agent: HTTPie/0.9.8



HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Type: application/json;charset=UTF-8
Expires: 0
Pragma: no-cache
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1 ; mode=block
transfer-encoding: chunked

[
    {
        "message": "Hello Admin!",
        "name": "Admin"
    }
]

When adding the @EnableReactiveMethodSecurity annotation, I get the following, as expected:

HTTP/1.1 403 Forbidden
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Type: text/plain
Expires: 0
Pragma: no-cache
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1 ; mode=block
transfer-encoding: chunked

Denied
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@RalfLackinger