Enhancing Security Measures for Spring Boot App User Role-Based Endpoints

by

Waseem Khan
in , ,

Debugging Spring Security Configuration for Role-Based Endpoint Access

Recently, I embarked on an internship involving Spring Boot, where I was tasked with implementing a security framework for a web application. While I could successfully perform sign-ins using data from a database, I encountered an issue: the application failed to restrict access to certain endpoints based on user roles as I had defined in my SecurityConfig class. I configured roles for endpoints, expecting that only users with specified roles could access them, but it wasn’t working as intended.

Initial Setup and Configuration

In my SecurityConfig class, I began by setting up user details and authentication management, locally managing user sessions, and applying a JWT filter for securing requests:

@EnableWebSecurity
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private CustomUserDetailsService userDetailsService;
    @Autowired
    private PasswordEncoder passwordEncoder;
    @Autowired
    private JwtAuthFilter jwtAuthFilter;

    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable()
            .authorizeRequests()
                .antMatchers("/employe/**").hasRole("Role_Employe")
                .antMatchers("/manager/**").hasRole("Role_Manager")
                .antMatchers("/rh/**").hasRole("Role_rh")
                .anyRequest().authenticated()
            .and()
            .addFilterBefore(jwtAuthFilter, UsernamePasswordAuthenticationFilter.class)
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
    }
}

Investigating the Issue

Though the roles were set up in the HTTP security configuration, all routes remained accessible regardless of the authenticated user’s role. This led me to investigate several potential misconfigurations or misunderstandings:

  1. Role Prefix: Spring Security expects roles to be prefixed with 'ROLE_' by default when using hasRole unless configured otherwise. So, using "ROLE_Employe" instead of "Role_Employe" might resolve some issues.
  1. Role Assignment in UserDetailsService: I double-checked the CustomUserDetailsService where roles are granted to the UserDetails object. It was crucial that the roles attached to the UserDetails match those expected in the security configuration (including the prefix).
  1. JWT Token Parsing and Role Validation: In the JwtAuthFilter, I ensured that the JWT token provided the correct roles and that they were properly extracted and used to create the UsernamePasswordAuthenticationToken. A common pitfall could be improperly parsing the token or failing to validate it correctly against the user’s details.

public class JwtAuthFilter extends OncePerRequestFilter {
    // existing code...

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
            throws ServletException, IOException {
        // existing code...

        UserDetails user = userDetailsService.loadUserByUsername(userEmail);
        if (jwt.validateToken(jwtToken, user)) {
            UsernamePasswordAuthenticationToken authentication =
                    new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities());
            SecurityContextHolder.getContext().setAuthentication(authentication);
        }

        filterChain.doFilter(request, response);
    }
}

As I debugged, I logged the extracted roles from the JWT token and compared them with those expected by the endpoints. This helped identify any discrepancies in role names or missing roles in the tokens.

Refining the Implementation

To precisely control and review the role access, I implemented detailed logging at each step of the authentication and authorization process. This helped me track the flow and identify where the access control failed.

Additionally, ensuring the right propagation of security contexts in asynchronous executions and checking configurations like method security annotations (@PreAuthorize, @PostAuthorize) also provided more access control granularity when needed.

After thorough testing and adjustments, I managed to make the endpoint securities behave as expected, successfully restricting access based on user roles through the corrected handling of JWT tokens and roles in Spring Security.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *