Spring Boot Microservices (Spring Cloud) , 403 Forbidden among services (Controller and ControllerTe

I have a communication problem in my spring boot microservices.

I created some services as well as eureka server, api gateway and config server.

I defined auth service connecting to api gateway for the process of authentication and authorization. I used this service as creating a user, logining and refreshing token.

After I created a user and login in auth service through the port number of api gateway, I tried to make a request to the order service like `http://localhost:9090/order/placeorder` or `http://localhost:9090/order/{order_id}` but I got 403 forbidden issue.

I knew there can be spring security problem among api gateway, auth service and order service but I couldn't find where the issue is.

Except for that, I cannot run any test method defined in OrderControllerTest because of this reason.

How can I fix these issues?

I shared some code snippets regarding security config defined in 2 services and api gateway and gateway filter located in api gateway.

Here is **SecurityConfig** in **auth service**.

   @Configuration    @EnableWebSecurity    @EnableGlobalMethodSecurity(prePostEnabled = true)    @RequiredArgsConstructor    public class SecurityConfig {            private final JwtAuthenticationEntryPoint authenticationEntryPoint;        private final JWTAccessDeniedHandler accessDeniedHandler;        private final JwtUtils jwtUtils;        private final CustomUserDetailsService customUserDetailsService;            @Bean        public AuthenticationManager authenticationManager(final AuthenticationConfiguration authenticationConfiguration) throws Exception {            return authenticationConfiguration.getAuthenticationManager();        }            @Bean        public PasswordEncoder passwordEncoder() {            return new BCryptPasswordEncoder();        }                @Bean        public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {            return http                    .headers().frameOptions().disable().and()                    .csrf().disable()                    .cors().and()                    .authorizeRequests(auth -> {                        auth.anyRequest().authenticated();                    })                    .formLogin().disable()                    .httpBasic().disable()                    .exceptionHandling().accessDeniedHandler(accessDeniedHandler)                    .authenticationEntryPoint(authenticationEntryPoint)                    .and()                    .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)                    .and()                    .addFilterBefore(authenticationJwtTokenFilter(jwtUtils,customUserDetailsService), UsernamePasswordAuthenticationFilter.class)                    .build();        }            @Bean        public WebSecurityCustomizer webSecurityCustomizer() {            return (web) -> web.ignoring().antMatchers("/authenticate/signup","/authenticate/login", "/authenticate/refreshtoken");        }            @Bean        public AuthTokenFilter authenticationJwtTokenFilter(JwtUtils jwtUtils, CustomUserDetailsService customUserDetailsService) {            return new AuthTokenFilter(jwtUtils, customUserDetailsService);        }    }

Here is **SecurityConfig** in **api gateway**.

   @Configuration    @EnableWebFluxSecurity    public class SecurityConfig {            @Bean        public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity serverHttpSecurity){                serverHttpSecurity.cors().and().csrf().disable()                    .authorizeExchange(exchange -> exchange                            .anyExchange()                            .permitAll());            return serverHttpSecurity.build();        }            }

Here is the **gatewayconfig** in **api gateway**

   @Configuration    @RequiredArgsConstructor    public class GatewayConfig {            private final JwtAuthenticationFilter filter;            @Bean        public RouteLocator routes(RouteLocatorBuilder builder) {            return builder.routes().route("AUTH-SERVICE", r -> r.path("/authenticate/**").filters(f -> f.filter(filter)).uri("lb://AUTH-SERVICE"))                    .route("PRODUCT-SERVICE", r -> r.path("/product/**").filters(f -> f.filter(filter)).uri("lb://PRODUCT-SERVICE"))                    .route("PAYMENT-SERVICE", r -> r.path("/payment/**").filters(f -> f.filter(filter)).uri("lb://PAYMENT-SERVICE"))                    .route("ORDER-SERVICE", r -> r.path("/order/**").filters(f -> f.filter(filter)).uri("lb://ORDER-SERVICE")).build();        }    }

Here is **SecurityConfig** in **order service**.

   @Configuration    @EnableWebSecurity    @EnableGlobalMethodSecurity(prePostEnabled = true)    public class WebSecurityConfig {            @Bean        public SecurityFilterChain securityWebFilterChain(HttpSecurity http) throws Exception {            http.csrf().disable()                    .authorizeRequests()                    .antMatchers("/order/**")                         .access("hasAnyAuthority('ROLE_USER') or hasAnyAuthority('ROLE_ADMIN')");            return http.build();        }    }

Here is the **OrderControllerTest** shown below.

   @SpringBootTest({"server.port=0"})    @EnableConfigurationProperties    @AutoConfigureMockMvc    @ContextConfiguration(classes = {OrderServiceConfig.class})    @ActiveProfiles("test")    public class OrderControllerTest {            @RegisterExtension        static WireMockExtension wireMockserver                = WireMockExtension.newInstance()                .options(WireMockConfiguration                        .wireMockConfig()                        .port(8080))                .build();            @Autowired        private OrderService orderService;        @Autowired        private OrderRepository orderRepository;            @Autowired        private MockMvc mockMvc;        private ObjectMapper objectMapper                = new ObjectMapper()                .findAndRegisterModules()                .configure(SerializationFeature.WRITE_DATES_AS_TIMESTAMPS, false)                .configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);            @Autowired        JwtUtils jwtUtils;            @BeforeEach        void setup() throws IOException {            getProductDetailsResponse();            doPayment();            getPaymentDetails();            reduceQuantity();        }            private void reduceQuantity() {            wireMockserver.stubFor(put(urlMatching("/product/reduceQuantity/.*"))                    .willReturn(aResponse()                            .withStatus(HttpStatus.OK.value())                            .withHeader("Content-Type", MediaType.APPLICATION_JSON_VALUE)));        }            private void getPaymentDetails() throws IOException {            wireMockserver.stubFor(get("/payment/order/1")                    .willReturn(aResponse()                            .withHeader("Content-Type", MediaType.APPLICATION_JSON_VALUE)                            .withStatus(HttpStatus.OK.value())                            .withBody(copyToString(OrderControllerTest.class.getClassLoader().getResourceAsStream("mock/GetPayment.json"), defaultCharset()))));        }            private void doPayment() {            wireMockserver.stubFor(post(urlEqualTo("/payment"))                    .willReturn(aResponse()                            .withStatus(HttpStatus.OK.value())                            .withHeader("Content-Type", MediaType.APPLICATION_JSON_VALUE)));        }            private void getProductDetailsResponse() throws IOException {                wireMockserver.stubFor(get("/product/1")                    .willReturn(aResponse()                            .withStatus(HttpStatus.OK.value())                            .withHeader("Content-Type", MediaType.APPLICATION_JSON_VALUE)                            .withBody(copyToString(                                    OrderControllerTest.class                                            .getClassLoader()                                            .getResourceAsStream("mock/GetProduct.json"),                                    defaultCharset()))));        }            private OrderRequest getMockOrderRequest() {            return OrderRequest.builder()                    .productId(1)                    .paymentMode(PaymentMode.CASH)                    .quantity(1)                    .totalAmount(100)                    .build();        }            @Test        @DisplayName("Place Order -- Success Scenario")        @WithMockUser(username = "User", authorities = { "ROLE_USER" })        void test_When_placeOrder_DoPayment_Success() throws Exception {                OrderRequest orderRequest = getMockOrderRequest();            String jwt = getJWTTokenForRoleUser();                MvcResult mvcResult                    = mockMvc.perform(MockMvcRequestBuilders.post("/order/placeorder")                            .contentType(MediaType.APPLICATION_JSON_VALUE)                            .header("Authorization", "Bearer " + jwt)                            .content(objectMapper.writeValueAsString(orderRequest)))                    .andExpect(MockMvcResultMatchers.status().isOk())                    .andReturn();                String orderId = mvcResult.getResponse().getContentAsString();                Optional<Order> order = orderRepository.findById(Long.valueOf(orderId));            assertTrue(order.isPresent());                Order o = order.get();            assertEquals(Long.parseLong(orderId), o.getId());            assertEquals("PLACED", o.getOrderStatus());            assertEquals(orderRequest.getTotalAmount(), o.getAmount());            assertEquals(orderRequest.getQuantity(), o.getQuantity());        }            @Test        @DisplayName("Place Order -- Failure Scenario")        @WithMockUser(username = "Admin", authorities = { "ROLE_ADMIN" })        public void test_When_placeOrder_WithWrongAccess_thenThrow_403() throws Exception {                    OrderRequest orderRequest = getMockOrderRequest();            String jwt = getJWTTokenForRoleAdmin();                MvcResult mvcResult                    = mockMvc.perform(MockMvcRequestBuilders.post("/order/placeorder")                            .header("Authorization", "Bearer " + jwt)                            .contentType(MediaType.APPLICATION_JSON_VALUE)                            .content(objectMapper.writeValueAsString(orderRequest)))                    .andExpect(MockMvcResultMatchers.status().isForbidden())                    .andReturn();            }                @Test        //@WithMockUser(username = "Admin", authorities = { "ROLE_ADMIN" })        public void test_WhenGetOrder_Success() throws Exception {                String jwt = getJWTTokenForRoleUser();                MvcResult mvcResult                    = mockMvc.perform(MockMvcRequestBuilders.get("/order/1")                            .header("Authorization", "Bearer " + jwt)                            .contentType(MediaType.APPLICATION_JSON_VALUE))                    .andExpect(MockMvcResultMatchers.status().isOk())                    .andReturn();                String actualResponse = mvcResult.getResponse().getContentAsString();            Order order = orderRepository.findById(1l).get();            String expectedResponse = getOrderResponse(order);                assertEquals(expectedResponse,actualResponse);        }            @Test        //@WithMockUser(username = "Admin", authorities = { "ROLE_ADMIN" })        public void testWhen_GetOrder_Order_Not_Found() throws Exception {                String jwt = getJWTTokenForRoleAdmin();                MvcResult mvcResult                    = mockMvc.perform(MockMvcRequestBuilders.get("/order/4")                            .header("Authorization", "Bearer " + jwt)                            .contentType(MediaType.APPLICATION_JSON_VALUE))                    .andExpect(MockMvcResultMatchers.status().isNotFound())                    .andReturn();        }            private String getOrderResponse(Order order) throws IOException {            OrderResponse.PaymentDetails paymentDetails                    = objectMapper.readValue(                    copyToString(                            OrderControllerTest.class.getClassLoader()                                    .getResourceAsStream("mock/GetPayment.json"                                    ),                            defaultCharset()                    ), OrderResponse.PaymentDetails.class            );            paymentDetails.setPaymentStatus("SUCCESS");                OrderResponse.ProductDetails productDetails                    = objectMapper.readValue(                    copyToString(                            OrderControllerTest.class.getClassLoader()                                    .getResourceAsStream("mock/GetProduct.json"),                            defaultCharset()                    ), OrderResponse.ProductDetails.class            );                OrderResponse orderResponse                    = OrderResponse.builder()                    .paymentDetails(paymentDetails)                    .productDetails(productDetails)                    .orderStatus(order.getOrderStatus())                    .orderDate(order.getOrderDate())                    .amount(order.getAmount())                    .orderId(order.getId())                    .build();            return objectMapper.writeValueAsString(orderResponse);        }            private String getJWTTokenForRoleUser(){                var loginRequest = new LoginRequest("User1","user1");                String jwt = jwtUtils.generateJwtToken(loginRequest.getUsername());                return jwt;        }            private String getJWTTokenForRoleAdmin(){                var loginRequest = new LoginRequest("Admin","admin");                String jwt = jwtUtils.generateJwtToken(loginRequest.getUsername());                return jwt;        }            @Data        @AllArgsConstructor        @NoArgsConstructor        public class LoginRequest {                private String username;            private String password;            }        }

Here is the repo : [Link][1]

Here are the screenshots : [Link][2]

**To run the app,**

1 ) Run Service Registery (Eureka Server)

2 ) Run config server

3 ) Run zipkin and redis through these commands shown below on docker
     docker run -d -p 9411:9411 openzipkin/zipkin      docker run -d --name redis -p 6379:6379 redis

4 ) Run api gateway

5 ) Run other services


 [1]: https://github.com/Rapter1990/microservicecoursedailybuffer
 [2]: https://drive.google.com/drive/folders/1BCMSj9STszd-GaHWJZE4a0IuLpUcXBxj?usp=sharing

In you WebSecurityConfig class, can you change this:
.antMatchers("/order/**")
into this mvcMatchers("/orders/**") ?

Also, are you sure you have the right authority to access to order?  

Have you ever looked though my order-service like showing OrderController class?

Your OrderController looks ok. But you mentioned that your security config is preventing you to access the order service.

Yeah, I mentioned it. How can I do that?

First of all, make sure your credentials are something authorized to log on to the service.

Himai Minh wrote:First of all, make sure your credentials are something authorized to log on to the service.

I still couldn't fix it. Can you help me if you have any idea about it?

403 error may mean you are authenticated, but you don't have enough privilege to access to the resources.

Himai Minh wrote:403 error may mean you are authenticated, but you don't have enough privilege to access to the resources.

You can clone project from Github.
I already shared project link in my first post.

I am not too familiar with JWT authentication in Spring Security. But I think you don't have the right privilege to access to order service.
Usually, people have a database table to store the users and their privilege. This table is looked up during authorization.