@PreAuthroize has role vs requestMatchers().hasRole()

I have created jwt implementation with Spring Resource Server dependency. Here is config class:

public class WebSecurityConfig {

    private RSAPublicKey publicKey;

    private RSAPrivateKey privateKey;

    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {


                exceptions ->
                                .authenticationEntryPoint(new BearerTokenAuthenticationEntryPoint())
                                .accessDeniedHandler(new BearerTokenAccessDeniedHandler()));

//                .requestMatchers("/hello").hasRole("ROLE_USER")

        return http.build();

    public AuthenticationManager authManager(UserDetailsServiceImpl userDetailsService) {
        var authProvider = new DaoAuthenticationProvider();
        return new ProviderManager(authProvider);

    public JwtEncoder jwtEncoder() {
        var jwk = new RSAKey.Builder(publicKey).privateKey(privateKey).build();
        var jwks = new ImmutableJWKSet<>(new JWKSet(jwk));
        return new NimbusJwtEncoder(jwks);

    public JwtDecoder jwtDecoder() {
        return NimbusJwtDecoder.withPublicKey(publicKey).build();

    public JwtAuthenticationConverter jwtAuthenticationConverter() {
        var jwtGrantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter();

        var jwtAuthenticationConverter = new JwtAuthenticationConverter();
        return jwtAuthenticationConverter;

    public CorsFilter corsFilter() {
        UrlBasedCorsConfigurationSource source =
                new UrlBasedCorsConfigurationSource();
        CorsConfiguration config = new CorsConfiguration();
        source.registerCorsConfiguration("/**", config);
        return new CorsFilter(source);

    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();

    public AuthenticationManager authenticationManager(
            AuthenticationConfiguration authenticationConfiguration) throws Exception {
        return authenticationConfiguration.getAuthenticationManager();

And I have simple controller:

public class HelloController {

    public String hello() {
        return "Hello!";

If I use @PreAuthorize("hasRole('ROLE_USER')") I always return a 403 status code. But if I do the same but in the config file: requestMatchers("/hello").hasRole("ROLE_USER"), then it is working as expected. I have the @EnableMethodSecurity annotation so @PreAuthorize should work, but for some reason, it doesn't. Also, why do I need to add ROLE_ in hasRole() method? I thought Spring should handle it for me.

Main question is why hasRole() works for requestMatchers() but doesn't for @PreAuthorize.

Here is the link to gitHub repo if needed(don't pay attention to commit messages): https://github.com/EternalSadnes/chat-app


Here is logs after failing request to /hello endpoint with @PreAuthorize annotation:

2022-12-05T12:27:45.300+02:00 DEBUG 6260 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy        : Securing GET /hello
2022-12-05T12:27:45.312+02:00 DEBUG 6260 --- [nio-8080-exec-2] o.s.s.o.s.r.a.JwtAuthenticationProvider  : Authenticated token
2022-12-05T12:27:45.313+02:00 DEBUG 6260 --- [nio-8080-exec-2] .s.r.w.a.BearerTokenAuthenticationFilter : Set SecurityContextHolder to JwtAuthenticationToken [Principal=org.springframework.security.oauth2.jwt.Jwt@621ae24b, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ROLE_USER]]
2022-12-05T12:27:45.315+02:00 DEBUG 6260 --- [nio-8080-exec-2] o.s.security.web.FilterChainProxy        : Secured GET /hello
2022-12-05T12:27:45.317+02:00 DEBUG 6260 --- [nio-8080-exec-2] horizationManagerBeforeMethodInterceptor : Authorizing method invocation ReflectiveMethodInvocation: public java.lang.String com.eternal.chatapp.controller.HelloController.hello(); target is of class [com.eternal.chatapp.controller.HelloController]
2022-12-05T12:27:45.347+02:00 DEBUG 6260 --- [nio-8080-exec-2] horizationManagerBeforeMethodInterceptor : Failed to authorize ReflectiveMethodInvocation: public java.lang.String com.eternal.chatapp.controller.HelloController.hello(); target is of class [com.eternal.chatapp.controller.HelloController] with authorization manager org.springframework.security.config.annotation.method.configuration.DeferringObservationAuthorizationManager@e30a265 and decision ExpressionAuthorizationDecision [granted=false, expressionAttribute=hasRole('ROLE_USER')]

Any ideas on how I can debug it deeper or what should I pay attention to?


Indeed, security debug logs were helpful. From them, I saw that spring at some point adds ROLE_ to granted authorities and it results in ROLE_ROLE_USER. I was able to fix this just by adding roles into the token without ROLE_ prefix.

String[] scope = user.getAuthorities().stream()
        .map(grantedAuthority -> StringUtils.substringAfter(grantedAuthority.getAuthority(),"ROLE_"))

I saw somewhere that we can prevent Spring from adding role prefixes but I have lost this article.