Using Spring Boot 2.7.7. I have the following service:
@Service
public class MyService
{
...
@PreAuthorize("hasAuthority(\"SCOPE_s1\")")
public void service (...)
{
...
}
...
}
When I call it via the Spring Cloud Gateway, I have the following gateway log file:
my-gateway | 2023-08-09 16:31:23.254 DEBUG 1 --- [or-http-epoll-3] ebSessionServerSecurityContextRepository : Found SecurityContext 'SecurityContextImpl [Authentication=OAuth2AuthenticationToken [Principal=Name: ..., Granted Authorities: [[..., SCOPE_s1]], User Attributes: [{sub=..., previous_logon_time=null, email_verified=true, user_name=..., origin=..., iss=..., given_name=..., nonce=, client_id=..., aud=[...], zid=..., user_id=..., grant_type=authorization_code, azp=..., scope=["openid"], auth_time=..., name=..., exp=..., family_name=..., iat=..., email=..., jti=..., rev_sig=..., cid=...}], Credentials=[PROTECTED], Authenticated=true, Details=null, Granted Authorities=[..., SCOPE_s1]]]' in WebSession: 'org.springframework.web.server.session.InMemoryWebSessionStore$InMemoryWebSession@57b70b82'
The microservice behind the gateway log file displays the following:
myservice | 2023-08-09 16:31:23.260 DEBUG 1 --- [nio-9000-exec-3] o.s.security.web.FilterChainProxy : Securing GET /myendpoint
myservice | 2023-08-09 16:31:23.260 DEBUG 1 --- [nio-9000-exec-3] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
myservice | 2023-08-09 16:31:23.272 DEBUG 1 --- [nio-9000-exec-3] o.s.s.o.s.r.a.JwtAuthenticationProvider : Authenticated token
myservice | 2023-08-09 16:31:23.272 DEBUG 1 --- [nio-9000-exec-3] .o.s.r.w.BearerTokenAuthenticationFilter : Set SecurityContextHolder to JwtAuthenticationToken [Principal=org.springframework.security.oauth2.jwt.Jwt@125d50b0, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=172.19.0.4, SessionId=null], Granted Authorities=[]]
myservice | 2023-08-09 16:31:23.273 DEBUG 1 --- [nio-9000-exec-3] o.s.s.w.a.i.FilterSecurityInterceptor : Failed to authorize filter invocation [GET /myendpoint...] with attributes [hasAuthority('SCOPE_s1')]
myservice | 2023-08-09 16:31:23.274 DEBUG 1 --- [nio-9000-exec-3] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
So, the security context seems to be okay in the gateway but once in the microservice behind the gateway the security context has an empty authorities list and the authorization fails. This is how the gateway is configured:
spring:
cloud:
gateway:
routes:
- id: myendpoint
uri: http://.../myendpoint ...
predicates:
- Path=/myendpoint...
filters:
- TokenRelay=
- RemoveRequestHeader=Cookie
What am I doing wrong here ? Many thanks in advance for any help. Kind regards, Nicolas
Comment From: nicolasduminil
Is anyone concerned please ?
Comment From: jzheaux
Hi, @nicolasduminil! Sorry that you are having trouble and for the delay in my response. I don't have enough information to determine if it is a bug or not based on your description. Can you please produce a minimal, sample application and share it (for example as a GitHub repo or a zip file)?
In the meantime, I wonder if you have correctly used the @EnableMethodSecurity annotation to activate method security. A sample might confirm that one way or another.
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: spring-projects-issues
Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.