Himai Minh

Bartender
+ Follow
since Jul 29, 2012
Merit badge: grant badges
For More
Cows and Likes
Cows
Total received
In last 30 days
0
Forums and Threads

Recent posts by Himai Minh

Also, my next test is to use  @PreAuthorize("hasAuthority('USER')") for the get endpoint instead of @RolesAllowed.
It now works.
4 months ago
So far, I made some changes to your code:




In application.properties, use this property instead of create-drop to recreate the table every time I start the application:

I use port 8080 instead of 6666
I use Postman to do the following:
1. I first send a POST request at  localhost:8080/auth/register.
I submit these info in JSON
{
       
        "firstname" : "John",
         "lastname": "Smith",
         "username" : "jsmith3",
         "password": "smith3",
         "email" : "jsmith3@gmail.com"
       
   }
2. I then send a POST request at localhost:8080/auth/login
{       "username" : "jsmith3",
         "password": "smith3"
}
I got the access token
3. I create another GET request at localhost:8080/endpoints/user
Under the Authorization panel, copy and paste the token in the Bearer Token field.
4. So far, I get access to the endpoint
4 months ago
Does this article help:
https://www.baeldung.com/security-none-filters-none-access-permitAll ?

Section 5 of the article says this:

Also note that, if an <http> element doesn’t specify a pattern, then by default, that maps to the universal match pattern – “/**” – so again, this element
needs to be last. If the order of the elements is not correct, the creation of the security filter chain will fail:

4 months ago
One more additional note to my previous post.
Can you try to create a second user , maybe called John and a password for John?
Then, you, as Obert user,  log in and log out.
Then, you log in as John. See if John can be authenticated.
4 months ago
As I check your CustomLogoutHandler, it simply deletes the token, which was once used by the user and no longer needed.
It should not affect the authorities of the user.
So, when you log back in, you are denied again.
Maybe, put some debuggers in the JwtAuthenticationFilter and see.

I don't understand why you need to use the refreshToken like this:

4 months ago
Also, one more additional note to my above comment. I found a public free educational example Github https://github.com/springframeworkguru/ssc-brewery/blob/mtc-secure-read-beer-order/src/main/java/guru/sfg/brewery/security/JpaUserDetailsService.java
This example shows:



So, in your code, you can do this:
 

4 months ago
First of all, where is this error coming from : ((User)userDetails).password = Cannot find local variable 'userDetails'   ?

In the AuthService class,  can you put some debuggers in the login method  to see how it goes?
Especially inside the generateNewAccessToken method, put a debugger in this line:  UserDetails userDetails = ourUserDetailsService.loadUserByUsername(username);

Also, in the JwtAuthenticationFilter class, can you put some debuggers in this piece of code:


That way, you can see if your token is valid or invalid.
4 months ago
The empty authority may not be the cause.
The cause is your credentials cannot be authenticated. Try to put a debugger in line 16 or 17 of JwtAuthenticationEntryPoint. Run the code in the debug mode and see if this filter is passed through.
4 months ago
For example, put a debugger in line 43 of your JwtAuthenticationFilter class and see.
Or, put some more debuggers in this class to trace the code.
4 months ago
Try to put some debuggers in your code and   run your code in debugging mode.
The problem may be from a JWT token that can't be validated .
Or, try to find a simple example online and see how it works.
4 months ago
Maybe, put some debuggers in your code and run it in debugging mode.
I guess what your code does is to create a JWT token for a user. When the user logins, a JWT token is generated.
See the JWT token generated for a new user. When the user submits a request , see if  the token matches with original token.
This is a good tutorial:
https://www.javainuse.com/spring/boot-jwt

You can also check if the information in your token correct by pasting your token here:
https://jwt.io/
Remember to select the right algorithm you are using in your code.
4 months ago
I guess the user input credentials cannot be authenticated.
401 unauthorization error means authentication failing.
Are you sure you input the right credentials?
4 months ago