Spring security always returns HTTP 403

Question

I have configured a custom Filter that grants a spring authority for every URL other than /login :

public class TokenFilter impleme         


        

Answer 1

As others have said 403 means that user is logged in but doesn't have the right permission to view the resource; I would check the following:

1. Your control has the correct role permission @Secured( {"ROLE_myAuthority"} )
2. You had actually granted the correct permission new SimpleGrantedAuthority("ROLE_myAuthority");
3. Actual granted authority from the UsernamePasswordAuthenticationToken object

4. Filter is been injected correctly

   Authentication auth = new UsernamePasswordAuthenticationToken(username, authentication.getCredentials(), authorities);  
   Collection auths = auth.getAuthorities();`
   
   Iterator authsIterator = auths.iterator();
   
   while (authsIterator.hasNext()) {
        SimpleGrantedAuthority sga =  (SimpleGrantedAuthority) authsIterator.next();
           sga.getAuthority();
       // ... 
   }