Spring Security Token based authentication and JSR 250

Summary

It is not clear in documentation how to set user authority when are used JSR 250 annotations.

Actual Behavior

@RestController
public class ApplicationController {

    @PermitAll
    @RequestMapping(value = "/", method = RequestMethod.GET)
    public String index() {
        return "Greetings from ContextConfig Boot!";
    }

    @RolesAllowed({"ADMIN"})
    @RequestMapping(value = "/secured", method = RequestMethod.GET)
    public String secured() {
        return "Secured :)";
    }
}

Configuration

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(jsr250Enabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
    }
}

Version

4.3.3.RELEASE

Token is send in header "X-AUTH-TOKEN". How to configure spring security when user send token in header and hase role "ADMIN" he will be allowed to access "secured"?

Comment From: rwinch

Spring Security does not have built in support for X-AUTH-TOKEN. Please provide more details.

Comment From: raderio

Well, it is custom header name, it could be "APP-ACCESS-Token".

Comment From: rwinch

You need to ensure the SecurityContext has an Authentication with the proper role. Without knowing more about how your application is setup, I cannot help

Comment From: raderio

Hi. The issue was that role is "ADMIN", but by default all roles should have prefix "ROLE_". So, role should be "ROLE_ADMIN".