Spring Security Spring Security protect routes hasRole, hasAuthority do not work with CORS request

https://asapla99.github.io

Summary

hasRole, hasAuthority do not work with http CORS request and return status 403.

Actual Behavior

I'm using Spring Security JWT to secure Angular login page. I configure Spring CORS filter to accept http CORS request. I verify the JWT is valid in return and authenticated with correct roles. The secure routes such as hasRole, hasAuthority fail on CORS requests, it always return 403 status.

Expected Behavior

hasRole, hasAuthority should work with CORS request and return status 200, it responses with status 403 (forbidden)

Configuration

protected void configure(HttpSecurity http) throws Exception{ http.cors().and() .csrf().disable() .authorizeRequests() .antMatchers(HttpMethod.GET, "/api/list_customers").hasAnyRole("ADMIN","DEV") //FAIL 403 error .antMatchers(HttpMethod.GET, "/api/list_customers").hasAuthority("ROLE_ADMIN") //FAIL 403 error .anyRequest().authenticated()

Version

Springboot version 2.2.2 spring-boot-starter-security

Sample

https://asapla99.github.io

Comment From: rwinch

The sample you provided is a running application, but I want to see a minimal reproducible code sample. Can you please provide a complete sample that I can run?

Comment From: asapla99

Issue Resolved. I changed the role name from ADMIN to ROLE_ADMIN, then it works fine.