#Springboot ignoring roles

I am new to springboot and decided to follow a tutorial on how to create a JWT RestApi with it. Upon doing this I noticed that it now completely ignores my @PreAuthorize annotations.

In a rest controller class:

    @PreAuthorize("hasRole('ADMIN')")
    @GetMapping("/admin")
    public String test() {
        return "Hello admin";
    }```

My SecurityFilterChain in my securityConfiguration class:

```    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .csrf(csrf -> csrf.disable())
                .authorizeHttpRequests(authorize -> authorize
                        .anyRequest().authenticated()
                )
                .oauth2ResourceServer((oauth2) -> oauth2.jwt(Customizer.withDefaults()))
                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .httpBasic(Customizer.withDefaults());
        return http.build();
    }```

⌛ This post has been reserved for your question.

Hey @vivid heart! Please use /close or the Close Post button above when your problem is solved. Please remember to follow the help guidelines. This post will be automatically marked as dormant after 300 minutes of inactivity.

TIP: Narrow down your issue to simple and precise questions to maximize the chance that others will reply in here.

And my only user (which I have created for the test) does not have admin permissions however can see the results from /admin

    public UserDetailsService userDetailsService() {
        InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
        manager.createUser(User.withUsername("user").password("{noop}password").roles("USER").build());
        return manager;
    }```

Can you enable TRACE or DEBUG logging for Spring Security and show the logs when making the reques?

Mapped to com.example.restAPI.controllers.HomeController#test()
Using 'text/plain', given [*/*] and supported [text/plain, */*, application/json, application/*+json]
Writing ["Hello admin"]
Completed 200 OK```

That's DEBUG ^

And that's shown in the console?

yes

Did you enable logging like https://stackoverflow.com/a/47729991/10871900?

I just enabled it on my

application.properties

what exactly did you enabled?

debug = true

source: https://docs.spring.io/spring-boot/docs/1.5.22.RELEASE/reference/html/boot-features-logging.html

oh I was specifically asking for Spring Security logging

oh mb

like there

Authenticated token
Set SecurityContextHolder to JwtAuthenticationToken [Principal=org.springframework.security.oauth2.jwt.Jwt@bb8cefc3, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[SCOPE_ROLE_USER]]
Secured GET /admin```

isn't there something before and after?

mainly after it

Nothing after that

Before is just basic startup

Only other debug thing before it is this

And you did logging.level.org.springframework.security=DEBUG?

2025-01-05T21:44:50.795Z DEBUG 84135 --- [restAPI] [ main] o.s.s.web.DefaultSecurityFilterChain : Will secure any request with filters: DisableEncodeUrlFilter, WebAsyncManagerIntegrationFilter, SecurityContextHolderFilter, HeaderWriterFilter, LogoutFilter, BearerTokenAuthenticationFilter, BasicAuthenticationFilter, RequestCacheAwareFilter, SecurityContextHolderAwareRequestFilter, AnonymousAuthenticationFilter, SessionManagementFilter, ExceptionTranslationFilter, AuthorizationFilter

yes

Can you show the full logs?

100% debugging because its giving a different output without logging.level.org.springframework.security=DEBUG in application properties.

sure hold on

https://pastebin.com/UQHQmeeV

oh

you need to enable annotations like @PreAuthorize

o

I think @EnableMethodSecurity on the main class

or the security config

ah

How do you know that lmao?

Like you got any links to good documentation

remembering

https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html#migration-enableglobalmethodsecurity

and https://docs.spring.io/spring-security/reference/servlet/authorization/method-security.html

Thank you that sorted it... I did remove that as it was not part of the tutorial I was watching so thought it was useless as the previous tutorial didn't actually explain its purpose... lmao