Getting Unauthorized error: Full authentication is required to access this resource

Question

I'm implementing JWT and Spring Security for authentication in my application.

I have 3 roles: Admin, Moderator and User.

For example, after logging with user role, I got the home page, but once I go to hit the user space by clicking on a button, I got:

2020-09-04 09:01:22.819 ERROR 10148 --- [nio-8080-exec-5] c.b.s.security.jwt.AuthEntryPointJwt : Unauthorized error: Full authentication is required to access this resource

the file webSecurityConfig.java is:

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(
        // securedEnabled = true,
        // jsr250Enabled = true,
        prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
    @Autowired
    UserDetailsServiceImpl userDetailsService;

    @Autowired
    private AuthEntryPointJwt unauthorizedHandler;

    @Bean
    public AuthTokenFilter authenticationJwtTokenFilter() {
        return new AuthTokenFilter();
    }

    @Override
    public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception {
        authenticationManagerBuilder.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder());
    }

    @Bean
    @Override
    public AuthenticationManager authenticationManagerBean() throws Exception {
        return super.authenticationManagerBean();
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors().and().csrf().disable()
            .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
            .authorizeRequests().antMatchers("/api/auth/**").permitAll()
            .antMatchers("/api/test/**").permitAll()
            .anyRequest().authenticated();

        http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
    }
}

• The class AuthEntryPointJwt is:

  @Component public class AuthEntryPointJwt implements AuthenticationEntryPoint {

    private static final Logger logger = LoggerFactory.getLogger(AuthEntryPointJwt.class);
  
    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response,
            AuthenticationException authException) throws IOException, ServletException {
        logger.error("Unauthorized error: {}", authException.getMessage());
        response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Error: Unauthorized");
    }
  

  }

• The class AuthTokenFilter is:

  public class AuthTokenFilter extends OncePerRequestFilter { @Autowired private JwtUtils jwtUtils;

    @Autowired
    private UserDetailsServiceImpl userDetailsService;
  
    private static final Logger logger = LoggerFactory.getLogger(AuthTokenFilter.class);
  
    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
            throws ServletException, IOException {
        try {
            String jwt = parseJwt(request);
            if (jwt != null && jwtUtils.validateJwtToken(jwt)) {
                String username = jwtUtils.getUserNameFromJwtToken(jwt);
  
                UserDetails userDetails = userDetailsService.loadUserByUsername(username);
                UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(
                        userDetails, null, userDetails.getAuthorities());
                authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
  
                SecurityContextHolder.getContext().setAuthentication(authentication);
            }
        } catch (Exception e) {
            logger.error("Cannot set user authentication: {}", e);
        }
  
        filterChain.doFilter(request, response);
    }
  
    private String parseJwt(HttpServletRequest request) {
        String headerAuth = request.getHeader("Authorization");
  
        if (StringUtils.hasText(headerAuth) && headerAuth.startsWith("Bearer ")) {
            return headerAuth.substring(7, headerAuth.length());
        }
  
        return null;
    }
  

  }

• The class JwtUtils is:

  @Component public class JwtUtils { private static final Logger logger = LoggerFactory.getLogger(JwtUtils.class);

    @Value("${bezkoder.app.jwtSecret}")
    private String jwtSecret;
  
    @Value("${bezkoder.app.jwtExpirationMs}")
    private int jwtExpirationMs;
  
    public String generateJwtToken(Authentication authentication) {
  
        UserDetailsImpl userPrincipal = (UserDetailsImpl) authentication.getPrincipal();
  
        return Jwts.builder()
                .setSubject((userPrincipal.getUsername()))
                .setIssuedAt(new Date())
                .setExpiration(new Date((new Date()).getTime() + jwtExpirationMs))
                .signWith(SignatureAlgorithm.HS512, jwtSecret)
                .compact();
    }
  
    public String getUserNameFromJwtToken(String token) {
        return Jwts.parser().setSigningKey(jwtSecret).parseClaimsJws(token).getBody().getSubject();
    }
  
    public boolean validateJwtToken(String authToken) {
        try {
            Jwts.parser().setSigningKey(jwtSecret).parseClaimsJws(authToken);
            return true;
        } catch (SignatureException e) {
            logger.error("Invalid JWT signature: {}", e.getMessage());
        } catch (MalformedJwtException e) {
            logger.error("Invalid JWT token: {}", e.getMessage());
        } catch (ExpiredJwtException e) {
            logger.error("JWT token is expired: {}", e.getMessage());
        } catch (UnsupportedJwtException e) {
            logger.error("JWT token is unsupported: {}", e.getMessage());
        } catch (IllegalArgumentException e) {
            logger.error("JWT claims string is empty: {}", e.getMessage());
        }
  
        return false;
    }
  

  }

• The class AuthController is:

  @CrossOrigin(origins = "*", maxAge = 3600) @RestController @RequestMapping("/api/auth") public class AuthController { @Autowired AuthenticationManager authenticationManager;

        @Autowired
        UserRepository userRepository;
  
        @Autowired
        RoleRepository roleRepository;
  
        @Autowired
        PasswordEncoder encoder;
  
        @Autowired
        JwtUtils jwtUtils;
  
        @PostMapping("/signin")
        public ResponseEntity<?> authenticateUser(@Valid @RequestBody LoginRequest loginRequest) {
  
            System.out.println("---------------- auth 1 ");
            Authentication authentication = authenticationManager.authenticate(
                    new UsernamePasswordAuthenticationToken(loginRequest.getUsername(), loginRequest.getPassword()));
  
            SecurityContextHolder.getContext().setAuthentication(authentication);
            String jwt = jwtUtils.generateJwtToken(authentication);
  
            UserDetailsImpl userDetails = (UserDetailsImpl) authentication.getPrincipal();      
            List<String> roles = userDetails.getAuthorities().stream()
                    .map(item -> item.getAuthority())
                    .collect(Collectors.toList());
  
            return ResponseEntity.ok(new JwtResponse(jwt, 
                                                     userDetails.getId(), 
                                                     userDetails.getUsername(), 
                                                     userDetails.getEmail(), 
                                                     roles));
        }
  
  
  
        @GetMapping("/user")
        @PreAuthorize("hasRole('USER') or hasRole('MODERATOR') or hasRole('ADMIN')")
        public String userAccess()
        {
            System.out.println("---------------- test User ");
            return "User Content.";
        }
    }
  

The file application.properties, I put:

spring.datasource.url=...
spring.datasource.username=...
spring.datasource.password=...
spring.jpa.properties.hibernate.jdbc.lob.non_contextual_creation= true
spring.jpa.properties.hibernate.dialect=...
spring.jpa.hibernate.ddl-auto=update
bezkoder.app.jwtSecret= bezKoderSecretKey
bezkoder.app.jwtExpirationMs= 86400000

In Browser console, I got that exception.

Could you please help me solving that issue ?. Big thanks.

Answer 1

You probably are testing in wrong in postman or amneasia or whatever API testing tool you are using. If you are using postman :

1.Select the Header tab

2.Click the button that says "hide auto-generated headers"

3.Type "Authorization" (without quotes) under the "Key" column.

4.Type "Bearer" under the "Value" column then paste the token. Ensure there is a space between "Bearer" and the "Token".

5.Send the request

Answer 2

You have to update WebSecurityConfig according to your Controller mapping.

      .antMatchers("/**").permitAll()
      .anyRequest().authenticated();

Answer 3

You should comment @PreAuthorize("hasRole('USER') or hasRole('MODERATOR') or hasRole('ADMIN')").

Tell about the result ?.