A New Collection of Thoughtful Learning Apps — Now Available on iOS & Android

By -
Image
I’m excited to share a set of mobile apps I’ve recently completed and published on both the Google Play Store and the Apple App Store. These apps are designed with a simple goal in mind: to make meaningful, structured content more accessible, whether you’re studying theology or improving your English vocabulary. 📱 Now Available on Both Platforms All apps are live and available for download: Google Play Developer Page: https://play.google.com/store/apps/dev?id=5835943159853189043 Apple App Store Developer Page: https://apps.apple.com/ca/developer/q-z-l-corp/id1888794100 📖 Theology & Confession Study Apps For those interested in Reformed theology and classical Christian teachings, I’ve developed a series of apps that present foundational texts in a clean, focused reading format: The Belgic Confession Canons of Dort Heidelberg Catechism Westminster Shorter Catechism Each app is designed to provide a distraction-free experience, making it easier to read, reflect, and revisit these im...
Post a Comment

Token is valid but still 403 — 5 real reasons in Spring Security

By -

Token is valid but still 403 — 5 real reasons in Spring Security

This is one of the most confusing Spring Security problems:

“My JWT token is valid. It’s not expired. But I still get 403 Forbidden.”

At this point, authentication has already succeeded.

A 403 means only one thing:

You are authenticated — but not authorized.

This post walks through five real-world reasons why this happens, and how to identify the exact cause quickly.

Quick refresher: where 403 comes from

Spring Security processes a request like this:

  1. Authenticate the request
  2. Extract authorities
  3. Evaluate authorization rules

If step 1 fails → 401 If step 2 or 3 fails → 403

So when you see a 403, the question is not “is my token valid?” but:

What authorities does Spring think I have?

Reason 1: Role name mismatch (the most common)

You configure: 

.hasRole("ADMIN")

But your token contains: 

ROLE_ADMIN

or:

admin

Spring Security does exact string matching.

There is no automatic normalization.

If the strings don’t match exactly, access is denied.

Debug tip:
Log Authentication.getAuthorities() right before authorization.

Reason 2: Authorities were never mapped from the JWT

JWT validation can succeed even if no authorities are extracted.

Result:

  • ✅ token valid
  • ✅ authenticated
  • ❌ no roles → 403

This usually happens when:

  • Roles are stored in a custom claim
  • You rely on default converters

Spring does not guess where your roles are.

Debug tip:
If getAuthorities() is empty, the problem is mapping — not authorization rules.

Reason 3: hasRole vs hasAuthority confusion

These two are not the same: 

.hasRole("ADMIN")
.hasAuthority("ADMIN")

Key difference:

  • hasRole("ADMIN") checks for ROLE_ADMIN
  • hasAuthority("ADMIN") checks for ADMIN

Mixing these up guarantees a 403.

Rule of thumb:
Pick one convention and use it everywhere.

Reason 4: Wrong security matcher — rule never applies

Your rule looks correct: 

.requestMatchers("/api/admin/**").hasRole("ADMIN")

But the actual request is: 

/v1/api/admin/users

Result:

  • Rule doesn’t match
  • Fallback rule applies
  • Access denied

Debug tip:
Enable DEBUG logs and check which matcher was evaluated.

Reason 5: Reactive (WebFlux) context loss

In WebFlux, security context is not thread-local.

If you:

  • Switch schedulers
  • Manually subscribe
  • Break the reactive chain

The authentication context may be lost.

Result:

  • Token validated
  • Authorities missing downstream
  • 403 returned

Debug tip:
Log authorities inside the reactive chain, not outside.

A simple 403 debugging checklist

When you hit a 403, check these in order:

  1. Is authentication successful?
  2. What authorities were extracted?
  3. Which rule was evaluated?
  4. Does the rule match the request?

If any step is unclear, your logs are insufficient.

Final thoughts

A valid token does not guarantee access.

403 errors are almost always about:

  • Role naming
  • Authority mapping
  • Matcher logic

Once you log the right place, the fix is usually obvious.

Up next:
How to log exactly why Spring Security denied access — without flooding your logs.

Part of the Spring Boot SSO Series

❤️ Support This Blog

If this post helped you, you can support my writing with a small donation. Thank you for reading.

Coffee ☕ Thanks 🙏 Extra Support ❤️

Comments

Post a Comment

Popular Posts

2026 Begins: Choosing to Stay on the Path as a Blogger

By -
Image
  Today is January 1st, 2026 . Before rushing into new goals, I spent some time looking back at the past 12 months of data for this blog — the quiet numbers that tell a very honest story. Looking Back at the Numbers Over the past year: 📈 Total views: ~44,600 👀 Daily average visits: ~200 💬 Comments: 19 💰 AdSense income: about $0.01 per month At first glance, these numbers may look small — especially the income. But when I zoom out, I see something more meaningful. This blog has been quietly read every single day . No viral posts. No aggressive promotion. No paid traffic. Just consistent readers arriving through search, bookmarks, and curiosity. That consistency matters. What the Traffic Graph Tells Me The graph over the last 12 months shows something important: Early months were quiet and uneven Mid-year brought steady growth Toward the end of the year, traffic became more stable , with clear spikes when certain posts resonated This tell...
Read more

Health Checks and Scaling Strategies for Next.js in Kubernetes

By -
Image
Health Checks and Scaling Strategies for Next.js in Kubernetes This is Part 6 and the final post of the series: Self-Hosting Next.js in Kubernetes (Without Vercel) . At this point, your Next.js standalone app: Builds cleanly Runs in a minimal Docker image Deploys correctly on Kubernetes / OpenShift Serves static assets properly Uses runtime configuration and secrets Now let’s make it resilient and scalable . Why Health Checks Matter Kubernetes relies on health checks to: Know when a pod is ready to receive traffic Restart unhealthy containers Safely roll out new versions Without proper probes, traffic can be sent to a pod that isn’t ready yet. Readiness Probe A readiness probe tells Kubernetes: “This pod can accept traffic.” For most Next.js apps, the root path works well: readinessProbe: httpGet: path: / port: 3000 initialDelaySeconds: 10 periodSeconds: 5 If your app depends on downstream services (APIs, d...
Read more