PreAuthorise in Resource server not working

[intrepidtechnology]

Hi there,

I've created a OAuth2 BFF with the spring-addons-starter-oidc, with Angular front-end, following Jerome's example project.

When I create a function on the controller with @Preauthorise, the system fails with 401 Unauthorized, despite the test user having the correct permissions.
When I disable @PreAuthorize, I can call the API without any issues.

Any help will be highly appriciated

Here is my code:

Proxy:

scheme: http
hostname: 192.168.85.60
reverse-proxy-port: 7080
angular-port: 4201
angular-prefix: /angular-ui
angular-uri: http://${hostname}:${angular-port}${angular-prefix}
authorization-server-port: 8080
authorization-server-prefix: /auth
authorization-server-uri: ${scheme}://${hostname}:${authorization-server-port}${authorization-server-prefix}
bff-port: 7081
bff-prefix: /bff
bff-uri: ${scheme}://${hostname}:${bff-port}

server:
  port: ${reverse-proxy-port}
  ssl:
    enabled: false

spring:
  application:
     name: reverse-proxy-service 
     
  cloud:
    gateway:
      default-filters:
      - DedupeResponseHeader=Access-Control-Allow-Credentials Access-Control-Allow-Origin
      routes:
      # SPAs assets
      - id: angular-ui
        uri: ${angular-uri}
        predicates:
        - Path=${angular-prefix}/**
 
      # Authorization-server
      - id: authorization-server
        uri: ${authorization-server-uri}
        predicates:
        - Path=${authorization-server-prefix}/**
      
      # Proxy BFF
      - id: bff
        uri: ${bff-uri}
        predicates:
        - Path=${bff-prefix}/**
        filters:
        - StripPrefix=1

BFF:

scheme: http
hostname: 192.168.85.60
reverse-proxy-port: 7080
reverse-proxy-uri: ${scheme}://${hostname}:${reverse-proxy-port}
authorization-server-prefix: /auth
issuer: ${reverse-proxy-uri}${authorization-server-prefix}/realms/intrepid
client-id: intrepid-technology
client-secret: u48jMzjhtby9eX8FCUN3mNTApZgEru5Z
username-claim-json-path: $.preferred_username
authorities-json-path: $.realm_access.roles
bff-port: 7081
bff-prefix: /bff
resource-server-port: 7082
audience: 

querymanagercommand-server-port: 7084

server:
  port: ${bff-port}
  ssl:
    enabled: false
  reactive:
    session:
      cookie:
        name: SESSION_${spring.application.name}


spring:
  application:
        name: bff-service
  security:
    user:
      name: root
      password: s3cr3t
      roles:
      - SYSTEM
    oauth2:
      client:
        provider:
          intrepid:
            issuer-uri: ${issuer}
        registration:
          intrepid:
            provider: intrepid
            authorization-grant-type: authorization_code
            client-id: ${client-id}
            client-secret: ${client-secret}
            scope: openid,profile,email,offline_access
  
  cloud:
    gateway:
      routes:
      - id: bff
        uri: ${scheme}://${hostname}:${resource-server-port}        
        predicates:
        - Path=/api/**
        filters:
        - DedupeResponseHeader=Access-Control-Allow-Credentials Access-Control-Allow-Origin
        - TokenRelay=
        - SaveSession
        - StripPrefix=1

      #Query Manager
      - id: querymanagercommandservice
        uri: http://192.168.85.60:7084
        predicates:
          - Path=/querymanagercommand/api/**
        filters:
          - DedupeResponseHeader=Access-Control-Allow-Credentials Access-Control-Allow-Origin
          - TokenRelay=
          - SaveSession
          - StripPrefix=1
      - id: querymanagerqueryservice
        uri: http://192.168.85.60:7085
        predicates:
          - Path=/querymanagerquery/api/**
        filters:
          - DedupeResponseHeader=Access-Control-Allow-Credentials Access-Control-Allow-Origin
          - TokenRelay=
          - SaveSession
          - StripPrefix=1
      
com:
  c4-soft:
    springaddons:
      oidc:
        # Trusted OpenID Providers configuration (with authorities mapping)
        ops:
        - iss: ${issuer}
          authorities:
          - path: ${authorities-json-path}
          aud: ${audience}
        # SecurityFilterChain with oauth2Login() (sessions and CSRF protection enabled)
        client:
          client-uri: ${reverse-proxy-uri}${bff-prefix}
          security-matchers:
          - /api/**
          - /login/**
          - /oauth2/**
          - /logout/**
          permit-all:
          - /api/**
          - /login/**
          - /oauth2/**
          - /logout/connect/back-channel/intrepid
          post-logout-redirect-host: ${hostname}
          csrf: cookie-accessible-from-js
          oauth2-redirections:
            rp-initiated-logout: ACCEPTED
          back-channel-logout:
            enabled: true
            # internal-logout-uri: ${reverse-proxy-uri}${bff-prefix}/logout
            # should work too,  but there is no reason to go through the reverse proxy for this internal call
            internal-logout-uri: ${scheme}://${hostname}:${bff-port}/logout
        # SecurityFilterChain with oauth2ResourceServer() (sessions and CSRF protection disabled)
        resourceserver:
          permit-all:
          - /login-options
          - /error
          - /v3/api-docs/**
          - /swagger-ui/**
          - /actuator/health/readiness
          - /actuator/health/liveness

Resource Server:

scheme: http
hostname: 192.168.85.60
reverse-proxy-port: 7080
reverse-proxy-uri: '${scheme}://${hostname}:${reverse-proxy-port}'
authorization-server-prefix: /auth
issuer: ${reverse-proxy-uri}${authorization-server-prefix}/realms/intrepid
username-claim-json-path: $.preferred_username
authorities-json-path: $.realm_access.roles
resource-server-port: 7082
audience: null

server:
  port: '${resource-server-port}'
  ssl:
    enabled: false
  reactive:
    session:
      cookie:
        name: 'SESSION_${spring.application.name}'
        
com:
  c4-soft:
    springaddons:
      oidc:
        ops:
        - iss: '${issuer}'
          username-claim: '${username-claim-json-path}'
          authorities:
          - path: '${authorities-json-path}'
          aud: '${audience}'
        resourceserver:
          permit-all:
          - /me
          - /actuator/**
          - /health
          - /heartbeat
          - /v3/api-docs/**
          - /swagger-ui/**
          - /actuator/health/readiness
          - /actuator/health/liveness

An finally......the problem resource server

QueryCommandServer:

scheme: http
hostname: 192.168.85.60
reverse-proxy-port: 7080
reverse-proxy-uri: '${scheme}://${hostname}:${reverse-proxy-port}'
authorization-server-prefix: /auth
issuer: ${reverse-proxy-uri}${authorization-server-prefix}/realms/intrepid'
username-claim-json-path: $.preferred_username
authorities-json-path: $.realm_access.roles
resource-server-port: 7084
audience: 

server:
  port: '${resource-server-port}'
  ssl:
    enabled: false
  reactive:
    session:
      cookie:
        name: 'SESSION_${spring.application.name}'


com:
  c4-soft:
    springaddons:
      oidc:
        ops:
        - iss: '${issuer}'
          username-claim: '${username-claim-json-path}'
          authorities:
          - path: '${authorities-json-path}'
          #- path: $.resource_access.spring-addons-confidential.roles
          - path: $.resource_access.*.roles
          aud: '${audience}'
        resourceserver:
          permit-all:
          #- /api/v1/querymanagercommandservice/**
          - /actuator/**
          - /api/v1/querymanagercommandservice/me/**
          - /me
          - /v3/api-docs/**
          - /swagger-ui/**
          - /actuator/health/readiness
          - /actuator/health/liveness
        cors:
        - path: /api/v1/querymanagercommandservice/**
          allowed-origin-patterns: "*"
        - path: /querymanagercommandservice/**
          allowed-origin-patterns: "*"
        - path: /truc/**
          allowed-origin-patterns:
          - "http://localhost:4200"
          - "http://*.chose.com"  

and its REST API

    /**
     * Create a new query on the system.
     *
     * @param queryRequest the query to process
     * @return ResultDto the response entity
     * @throws Exception the exception
     */
    @PreAuthorize("hasAuthority('TEST')")
    public Mono<ResultDto> createQuery(@RequestBody CreateQueryRequestDto createQueryRequest) throws InterruptedException {

        logger.info("UserCommandController: createQuery called for user: " + createQueryRequest.getLastName());

        queryCounter.increment();

        return this.queryManagerCommandService.createQuery(createQueryRequest);

    }

[ch4mpy]

What is the @PreAuthorize expression?

What is the request path?

What is the token payload?

[intrepidtechnology]

Thank you for your help its really appreciated.

The @PreAuthorize is

@PreAuthorize("hasAuthority('TEST')")

The request path is:
@PostMapping(value = "/createquery")

The call from the UI:
const data = this.httpClient.post<any>("/bff/querymanagercommand/api/v1/querymanagercommandservice/createquery",

Is this the token payload?
`Authorization:"Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJBdVE1d1FxcHVhbVVuR05oQzBwdU1rckJQd2FiejdIMUN2eVBocTZRcnU4In0.eyJleHAiOjE3MzUxNTI1MjcsImlhdCI6MTczNTE1MjIyNywiYXV0aF90aW1lIjoxNzM1MTQ5NDA4LCJqdGkiOiI2NTg5ZDU3Ny1mNDQxLTQ5YTctOWMxZS1jN2FlMTFiZWM2YWYiLCJpc3MiOiJodHRwOi8vMTkyLjE2OC44NS42MDo3MDgwL2F1dGgvcmVhbG1zL2ludHJlcGlkIiwiYXVkIjpbInJlYWxtLW1hbmFnZW1lbnQiLCJhY2NvdW50Il0sInN1YiI6ImVkOGI2NDhlLTAyZTUtNDMzNi05NzlmLWEzNGZhYmY4Zjk5NCIsInR5cCI6IkJlYXJlciIsImF6cCI6ImludHJlcGlkLXRlY2hub2xvZ3kiLCJzaWQiOiJiMDI4MDk5MC01NWE0LTQ4OTQtOTM1OS1jZjE3YWY4ZDlhMTQiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly8xOTIuMTY4Ljg1LjYwOjcwODAiLCJodHRwOi8vMTkyLjE2OC44NS42MDo4MDgwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJkZWZhdWx0LXJvbGVzLWludHJlcGlkIiwiVEVTVCIsIm9mZmxpbmVfYWNjZXNzIiwiTklDRSIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsicmVhbG0tbWFuYWdlbWVudCI6eyJyb2xlcyI6WyJ2aWV3LXVzZXJzIiwidmlldy1jbGllbnRzIiwidmlldy1hdXRob3JpemF0aW9uIiwicXVlcnktY2xpZW50cyIsInF1ZXJ5LWdyb3VwcyIsInF1ZXJ5LXVzZXJzIl19LCJpbnRyZXBpZC10ZWNobm9sb2d5Ijp7InJvbGVzIjpbIlRFU1QiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoib3BlbmlkIGVtYWlsIHByb2ZpbGUgb2ZmbGluZV9hY2Nlc3MiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwibmFtZSI6IkJyaWNlIFRhYm9yIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYnJpY2UiLCJnaXZlbl9uYW1lIjoiQnJpY2UiLCJmYW1pbHlfbmFtZSI6IlRhYm9yIiwiZW1haWwiOiJzdXBwb3J0QGludHJlcGlkLmNvLnphIn0.UeA0M_AY4Rkd4qI6HfAF_eonBKCVOPVm6kwHeKqzmLQZ0yQNVnS2G_bfcKYhGcQhSICOsh2UtiHOYmlFp0PvWgtzB-VFqYyksTq12BBwz_k3PQ7tbtxSIwDLgYsn1c6ut6MVY4gC2gO16uYhMQtYQI1fJ07islLJoSCMM6hF9X70unovpLUaBc-kewG01PBD7NVOJtezFZyqgBgfJUYkFQgtwWnFvS0V7VDOgNy-0vWmxQWRuyYvYp5aI4c7zC1Hoh-gaHHbzyIATCdFYvvgNhENMrDrfDVk-fPTbe_HIUKv-0MdzWsL9lpePdcDFVL3LhYBu34ApgfIhGGnFmRgrg", Forwarded:"proto=http;host="192.168.85.60:7080";for="192.168.85.105:47986"", "proto=http;host="192.168.85.60:7081";for="192.168.85.60:36442""]

Converted:

"iat": 1735152227,
  "auth_time": 1735149408,
  "jti": "6589d577-f441-49a7-9c1e-c7ae11bec6af",
  "iss": "http://192.168.85.60:7080/auth/realms/intrepid",
  "aud": [
    "realm-management",
    "account"
  ],
  "sub": "ed8b648e-02e5-4336-979f-a34fabf8f994",
  "typ": "Bearer",
  "azp": "intrepid-technology",
  "sid": "b0280990-55a4-4894-9359-cf17af8d9a14",
  "acr": "1",
  "allowed-origins": [
    "http://192.168.85.60:7080",
    "http://192.168.85.60:8080"
  ],
  "realm_access": {
    "roles": [
      "default-roles-intrepid",
      "TEST",
      "offline_access",
      "NICE",
      "uma_authorization"
    ]
  },
  "resource_access": {
    "realm-management": {
      "roles": [
        "view-users",
        "view-clients",
        "view-authorization",
        "query-clients",
        "query-groups",
        "query-users"
      ]
    },
    "intrepid-technology": {
      "roles": [
        "TEST"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "openid email profile offline_access",
  "email_verified": true,
  "name": "Brice Tabor",
  "preferred_username": "brice",
  "given_name": "Brice",
  "family_name": "Tabor",
  "email": "support@intrepid.co.za"
}

`

[ch4mpy]

this.httpClient.post<any>("/bff/querymanagercommand/api/v1/querymanagercommandservice/createquery")

1. This looks like a query through the BFF, which should be authorized with a session cookie, not a Bearer token. Call 192.168.85.60:7080/api/v1/querymanagercommandservice/createquery if authorizing test requests with tokens.
2. according to the token JSON payload, the JsonPath in conf should be $.realm_access.roles (Keycloak's "realm roles") instead of $.resource_access.*.roles (Keycloak's "client roles" for all clients). You might use online tools like https://jsonpath.com/ to test your JsonPath expression against actual token JSON payloads.
3. If this is a unit-test for a @Controller access-control rules, then you'd better use MockMvc in a @WebMvcTest. See the dedicated BaeldungArticle or spring-addons-oauth2-test and spring-addons-starter-oidc-test READMEs.
4. Maybe is QueryCommandServer missing a @Configuration file with @EnableMethodSecurity for @PreAuthorize to work?
5. Since Java 21 and virtual threads, servlet applications are just as efficient as reactive ones, if not more, and much easier to debug.

[intrepidtechnology]

I am sorry to ask this as I read through all the documentation and your sample project code. I am not sure how to get my server to revert to using session cookies and not a Bearer token as stated in step 1.

Do you maybe have an example of a resource sever that uses @PreAuthorize so I can study the code?

I have implemented step 4 using @EnableReactiveMethodSecurity in my code.

Thank you for all your help regarding this.

[ch4mpy]

It feel like I have overlooked something silly

The JsonPath issue I reported two comments above is something like that.

Maybe I should start the project over using the project from the tutorial, then add a test server to it and try to make a call against that

You don't need to add a module. The resource server with the MeController is enough, provided that you enable method security. Use the Baeldung article about unit-tests for sample configuration and access control testing. When you don't manage to do something, proceed by steps and ensure that each step is valid before moving to the next one. Here:

1. write a resource server with access control
2. unit-test this resource server access control
3. query this resource server with a REST tool capable of getting tokens from the authorization server (something like Postman)
4. query the resource server through the BFF using your single-page application, oauth2Login on the gateway and the TokenRelay filter during the routing

[intrepidtechnology]

Okay, will do...thank you!
I'll report back once I've completed all the steps you've given above.

[ch4mpy]

@intrepidtechnology have you sorted out your access control issue? can we consider this answered?

[intrepidtechnology]

Hi @ch4mpy

Sorry I haven't replied earlier, but I've been trying to get this to work, since your last reply.

I decided to recreate the project using a non reactive approach.
This helped with debugging, as I can see more clues in the logs.

Now when I try to access a REST point that's secured with @PreAuthorize("hasAuthority('ADMIN')") or @PreAuthorize("hasRole('ADMIN')") or @PreAuthorize("hasRole('ROLE_ADMIN')"), it fails with the error:

2025-01-17T08:50:17.990+02:00 TRACE [querymanager-query-service,,] 1031665 --- [querymanager-query-service] [nio-7085-exec-1] estMatcherDelegatingAuthorizationManager : Authorizing GET /api/v1/querymanagerqueryservice/queries
17-01-2025 08:50:17.990 [http-nio-7085-exec-1] TRACE o.s.s.w.a.i.RequestMatcherDelegatingAuthorizationManager.check
                - Authorizing GET /api/v1/querymanagerqueryservice/queries
2025-01-17T08:50:17.990+02:00 TRACE [querymanager-query-service,,] 1031665 --- [querymanager-query-service] [nio-7085-exec-1] estMatcherDelegatingAuthorizationManager : Checking authorization on GET /api/v1/querymanagerqueryservice/queries using org.springframework.security.authorization.AuthenticatedAuthorizationManager@315db5c5
17-01-2025 08:50:17.990 [http-nio-7085-exec-1] TRACE o.s.s.w.a.i.RequestMatcherDelegatingAuthorizationManager.check
                - Checking authorization on GET /api/v1/querymanagerqueryservice/queries using org.springframework.security.authorization.AuthenticatedAuthorizationManager@315db5c5
2025-01-17T08:50:17.990+02:00 TRACE [querymanager-query-service,,] 1031665 --- [querymanager-query-service] [nio-7085-exec-1] o.s.s.w.a.ExceptionTranslationFilter     : Sending AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=192.168.85.60, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]] to authentication entry point since access is denied

org.springframework.security.authorization.AuthorizationDeniedException: Access Denied
        at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:99)
....
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
        at java.base/java.lang.Thread.run(Thread.java:1575)

17-01-2025 08:50:17.990 [http-nio-7085-exec-1] TRACE o.s.s.w.a.ExceptionTranslationFilter.handleAccessDeniedException
                - Sending AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=192.168.85.60, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]] to authentication entry point since access is denied
org.springframework.security.authorization.AuthorizationDeniedException: Access Denied
        at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:99)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)

...

2025-01-17T08:50:17.993+02:00 TRACE [querymanager-query-service,,] 1031665 --- [querymanager-query-service] [nio-7085-exec-1] o.s.security.web.FilterChainProxy        : Trying to match request against DefaultSecurityFilterChain defined as 'springAddonsJwtResourceServerSecurityFilterChain' in [class path resource [com/c4_soft/springaddons/security/oidc/starter/synchronised/resourceserver/SpringAddonsOidcResourceServerBeans.class]] matching [any request] and having filters [DisableEncodeUrl, WebAsyncManagerIntegration, SecurityContextHolder, HeaderWriter, Logout, BearerTokenAuthentication, RequestCacheAware, SecurityContextHolderAwareRequest, AnonymousAuthentication, SessionManagement, ExceptionTranslation, Authorization] (1/1)
17-01-2025 08:50:17.993 [http-nio-7085-exec-1] TRACE o.s.security.web.FilterChainProxy.getFilters
                - Trying to match request against DefaultSecurityFilterChain defined as 'springAddonsJwtResourceServerSecurityFilterChain' in [class path resource [com/c4_soft/springaddons/security/oidc/starter/synchronised/resourceserver/SpringAddonsOidcResourceServerBeans.class]] matching [any request] and having filters [DisableEncodeUrl, WebAsyncManagerIntegration, SecurityContextHolder, HeaderWriter, Logout, BearerTokenAuthentication, RequestCacheAware, SecurityContextHolderAwareRequest, AnonymousAuthentication, SessionManagement, ExceptionTranslation, Authorization] (1/1)
2025-01-17T08:50:17.993+02:00 DEBUG [querymanager-query-service,,] 1031665 --- [querymanager-query-service] [nio-7085-exec-1] o.s.security.web.FilterChainProxy        : Securing GET /error
17-01-2025 08:50:17.993 [http-nio-7085-exec-1] DEBUG o.s.security.web.FilterChainProxy.doFilterInternal
                - Securing GET /error
....
17-01-2025 08:50:18.065 [http-nio-7085-exec-8] TRACE o.s.s.w.a.i.RequestMatcherDelegatingAuthorizationManager.check
                - Authorizing GET /api/v1/querymanagerqueryservice/queries
2025-01-17T08:50:18.065+02:00 TRACE [querymanager-query-service,,] 1031665 --- [querymanager-query-service] [nio-7085-exec-8] estMatcherDelegatingAuthorizationManager : Checking authorization on GET /api/v1/querymanagerqueryservice/queries using org.springframework.security.authorization.AuthenticatedAuthorizationManager@315db5c5
17-01-2025 08:50:18.065 [http-nio-7085-exec-8] TRACE o.s.s.w.a.i.RequestMatcherDelegatingAuthorizationManager.check
                - Checking authorization on GET /api/v1/querymanagerqueryservice/queries using org.springframework.security.authorization.AuthenticatedAuthorizationManager@315db5c5
2025-01-17T08:50:18.066+02:00 TRACE [querymanager-query-service,,] 1031665 --- [querymanager-query-service] [nio-7085-exec-8] o.s.s.w.a.ExceptionTranslationFilter     : Sending AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=192.168.85.60, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]] to authentication entry point since access is denied

org.springframework.security.authorization.AuthorizationDeniedException: Access Denied
        at org.springframework.security.web.access.intercept.AuthorizationFilter.doFilter(AuthorizationFilter.java:99)
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:240)

I'm at a loss to how to fix this.

1. The BFF, Proxy and Resource Server are working perfectly.
2. When I test the login, it succeeds and I can see the Bearer token is created on the BFF.
3. The home page confirms the user and authorities.
   Hi brice, you are granted with ["default-roles-intrepid", "offline_access", "NICE", "ADMIN", "uma_authorization"]
4. All servers have authorities-json-path set to $.realm_access.roles
5. I call the end point through the bff (for session cookie):
   this.httpClient.post("/bff/querymanagerquery/api/v1/querymanagerquery/queries")
   or directly (for token):
   this.httpClient.post("http://192.168.85.60:7080/api/v1/querymanagerqueryservice/queries")
6. I tried adding {withCredentials: true} in Angular.
7. I checked the session cookies etc. are present in the browser:

SESSION_ID	e007c595-dfee-4154-afce-2725bf882e72	192.168.85.60 /auth/realms/master/			
AUTH_SESSION_ID_LEGACY	acd95d7f-265d-44a9-aab3-bafec0c001d1 192.168.85.60 /auth/realms/intrepid/	AUTH_SESSION_ID_LEGACY	e66a1e22-78eb-4ba2-8d6a-6b70512f9f8c	192.168.85.60 /auth/realms/master/

KC_RESTART yJhbGciOiJIUzUxMiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIxZTc3ZTQwNy00MTcyLTQ5YWUtYjU5Zi1lNDUyNzI0ODFlN2EifQ.eyJjaWQiOiJzZWN1cml0eS1hZG1pbi1jb25zb2xlIiwicHR5Ijoib3BlbmlkLWNvbm5lY3QiLCJydXJpIjoiaHR0cDovLzE5Mi4xNjguODUuNjA6NzA4MC9hdXRoL2FkbWluL21hc3Rlci9jb25zb2xlLyIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7InNjb3BlIjoib3BlbmlkIiwiaXNzIjoiaHR0cDovLzE5Mi4xNjguODUuNjA6NzA4MC9hdXRoL3JlYWxtcy9tYXN0ZXIiLCJyZXNwb25zZV90eXBlIjoiY29kZSIsImNvZGVfY2hhbGxlbmdlX21ldGhvZCI6IlMyNTYiLCJyZWRpcmVjdF91cmkiOiJodHRwOi8vMTkyLjE2OC44NS42MDo3MDgwL2F1dGgvYWRtaW4vbWFzdGVyL2NvbnNvbGUvIiwic3RhdGUiOiJlZTdjYjY2Yy0yNWNhLTRhNmUtODUwNy1iZGRjZTM4MmJiM2IiLCJub25jZSI6ImQ0ODExMmZkLTIyMTEtNDk3OC04ZmIyLWZkZDU3NGZjZWMyOSIsImNvZGVfY2hhbGxlbmdlIjoiOERhNlBpSVctT3lQc1VnNU5vd1FROU9JaWFPdUU5b1QwekYzY3I0MnBIZyIsInJlc3BvbnNlX21vZGUiOiJmcmFnbWVudCJ9fQ.hp2NpvIDe5MBKhUWmF3eGipBvF3gueC_MvborMDDCGjIGKh-BdSzGbPb6IymXepL-7AO11ZtVf5SBg7dmLN08A	192.168.85.60	
/auth/realms/master/	

KEYCLOAK_IDENTITY_LEGACY	eyJhbGciOiJIUzUxMiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJkNjkxYjdlNS0xNTYxLTQ3YTItYjI3YS0yYTk1OTdiYzk0ZmIifQ.eyJleHAiOjE3MzcxMzI0MjUsImlhdCI6MTczNzA5NjQyNSwianRpIjoiMTY2MWZjM2QtNmY0My00ODRhLTk0Y2YtZDA1ZTk4OTk0ODg2IiwiaXNzIjoiaHR0cDovLzE5Mi4xNjguODUuNjA6NzA4MC9hdXRoL3JlYWxtcy9pbnRyZXBpZCIsInN1YiI6IjU2M2Y1YmRiLTk5YzAtNDQ1Ni04ZGY4LWQwMDk0MmIzYWIzOCIsInR5cCI6IlNlcmlhbGl6ZWQtSUQiLCJzZXNzaW9uX3N0YXRlIjoiYWNkOTVkN2YtMjY1ZC00NGE5LWFhYjMtYmFmZWMwYzAwMWQxIiwic2lkIjoiYWNkOTVkN2YtMjY1ZC00NGE5LWFhYjMtYmFmZWMwYzAwMWQxIiwic3RhdGVfY2hlY2tlciI6InhDSEwwVDdYeTB2MVFBS3RGRW0tQnpjcGdVWVVTMERBMVlpckxacEVYbEkifQ.eAhTzCO5i5lMpV6gw_5VelLxDO6fXZ7jVgKuNVB5NAqWGRvVacOVR1DbQ4Wb0v7Fp9A6ug6XuItXOeppNnOLow	192.168.85.60	
/auth/realms/intrepid/

KEYCLOAK_SESSION_LEGACY "intrepid/563f5bdb-99c0-4456-8df8-d00942b3ab38/acd95d7f-265d-44a9-aab3-bafec0c001d1"	192.168.85.60 /auth/realms/intrepid/
SESSION_bff-service a5517a53-31dc-4263-bcfa-6c88c602bf75	192.168.85.60	
XSRF-TOKEN	d2252435-d311-4799-9b99-78d54146e6b7	192.168.85.60

8. I set the security configuration in the Query Server to:

@Configuration
@EnableMethodSecurity
public class SecurityConfiguration {
//
}

9. I have the following rest endpoint as:

@RestController
@Tag(name = "Query Manager - User Query Controller", description = "API Endpoints for the Query Manager Query Service")
@RequestMapping(value = AdminQueryController.REST_URL)
public class AdminQueryController {

    static final String REST_URL = "/api/v1/querymanagerqueryservice";

    @Autowired
    private final QueryManagerQueryService queryManagerQueryService;
	
    private static final Logger logger = LoggerFactory.getLogger(AdminQueryController.class);
   
    public AdminQueryController(
        QueryManagerQueryService queryManagerQueryService) {
            this.queryManagerQueryService = queryManagerQueryService;
	}

    @PreAuthorize("permitAll()")
    @RequestMapping("/resource")
    public Map<String,Object> home() {
        Map<String,Object> model = new HashMap<String,Object>();
        model.put("id", UUID.randomUUID().toString());
        model.put("content", "Hello World");
        return model;
    }

	@ResponseStatus(value = HttpStatus.OK)
        @GetMapping("/queries")
        @PreAuthorize("hasAuthority('ADMIN')")
	public List<QueryResponseDto> getAllQueries() throws ExecutionException, InterruptedException {

    		logger.debug("AdminQueryController: getAllQueries called");
		var result = queryManagerQueryService.findAllQueries();
                return result;
	}

Thank you for all your help so far.

Kind regards

[ch4mpy]

You could be in a similar situation as the user who opened this ticket:

Your BFF log shows: Sending AnonymousAuthenticationToken => the request to the BFF is not correctly authorized => the TokenRelay filter has no session to take an access token from => the downstream resource server receives the request without a Bearer authorization header

You should be careful that there are two distinct sessions, each with its own cookie in your browser:

• one on the authorization server (a given Keycloak realm). Cookies with /auth/realms/... as path are very likely to be for such a session
• a completely different one on the BFF (Spring Cloud Gateway with oauth2Login and the TokenRelay filter)

What is important for a request from your frontend to be authorized on your backend is that it contains the session cookie from the BFF (not from whatever Keycloak realm) and that this session is authorized (contains tokens after user login). For that, the front end and the BFF must be "same site" (the easiest solution for that is to make it "same origin" using a reverse proxy to serve both).

If you're using Postman to "try" requests to your backend, use its OAuth2 features to get access tokens from Keycloak and call the resource servers directly (don't go through the BFF which expects session cookies, not Bearer tokens). You could also install a special Postman Chrome extension to login using Chrome and then have Postman read the session cookie from Chrome to authorize its requests to the BFF, but honestly, using tokens and skipping the BFF when using Postamn is simpler and safer (I don't like the idea of allowing 3rd party applications to read my same-site cookies in Chrome).

If using a Javascript-based frontend in development mode (served with the dev-server for your framework), be sure to go through the same reverse proxy to reach the UI dev-server and the BFF. This reverse proxy could be:

• built-in to your dev-server (there is such a feature when working with Angular)
• the Gateway itself if defining a special route to the dev-server with permitAll and no filter (no TokenRelay, no SaveSession, ...)
• a dedicated Nginx running in front of both (as done in the Baeldung article).

[intrepidtechnology]

Thanks for all your help with this.

It's working!!!!

If this helps anyone else, here is what I did:

• add each of the resource servers to the BFF "security-matches" setting.
  So in my case, I added my two test servers called querymanagerquery, and querymanagercommand to the security-matches section in the settings as follows:

security-matchers:
          - /querymanagerquery/**
          - /querymanagercommand/**

So here is what my full settings looks like:

com:
  c4-soft:
    springaddons:
      oidc:
        # Trusted OpenID Providers configuration (with authorities mapping)
        ops:
        - iss: ${issuer}
          authorities:
          - path: ${authorities-json-path}
          aud: ${audience}
        # SecurityFilterChain with oauth2Login() (sessions and CSRF protection enabled)
        client:
          client-uri: ${reverse-proxy-uri}${bff-prefix}
          security-matchers:
          - /querymanagerquery/**
          - /querymanagercommand/**
          - /api/**
          - /login/**
          - /oauth2/**
          - /logout/**
          permit-all:
          - /api/**
          - /login/**
          - /oauth2/**
          - /logout/connect/back-channel/intrepid
          post-logout-redirect-host: ${hostname}
          csrf: cookie-accessible-from-js
          oauth2-redirections:
            rp-initiated-logout: ACCEPTED
          back-channel-logout:
            enabled: true
            # internal-logout-uri: ${reverse-proxy-uri}${bff-prefix}/logout
            # should work too,  but there is no reason to go through the reverse proxy for this internal call
            internal-logout-uri: ${scheme}://${hostname}:${bff-port}/logout
        # SecurityFilterChain with oauth2ResourceServer() (sessions and CSRF protection disabled)
        resourceserver:
          permit-all:
          - /login-options
          - /error
          - /v3/api-docs/**
          - /swagger-ui/**
          - /actuator/health/readiness
          - /actuator/health/liveness

[ch4mpy]

I should have spotted that some of the gateway routes configured with the TokenRelay filter were not listed in the security-matcher for the security fiter chain with oauth2Login auto-configured by spring-addons. Sorry.

But yes, the TokenRelay filter relies on oauth2Login, and more precisely on the authorized client manager it configures. As stated earlier, this filter replaces the session cookie with an Authorization header containing an access token issued using a given registration (which can be implicit when the configuration contains only one). So, all routes with the TokenRelay filter pointing to a registration with authorization_code must be processed by a security filter chain with oauth2Login (which gets tokens from the authorization server and saves them in session). When using spring-addons-starter-oidc, this requires:

• having spring-boot-starter-oauth2-client on the classpath
• including these routes among the com.c4-soft.springaddons.oidc.client.security-matchers array (as you figured out by yourself).