@Test public void testGetOrders() throws Exception { mockMvc.perform(get(“/admin/api/orders/”) .with(jwt().authorities(new SimpleGrantedAuthority(“USER”)))) .andExpect(status().isForbidden()); This test should return status code 403, but it seems that as long as there’s some kind of authentication, it will always return 200 regardless of authorities set in the token. Here’s my SecurityConfig: @Bean public SecurityFilterChain filterChain(HttpSecurity http) throws Exception{ http .csrf(AbstractHttpConfigurer::disable) .authorizeHttpRequests(auth […]