Spring security filter blocking restful api calls

Question

I have a web application using Spring 4. I'm using Spring security here. In the mean time I need to open a restful api with no security. Issue is till the security filter is enabled my rest rest POST calls get a 405 Method Not Allowed response(Still the GET works). In mean time server log says

.11:27:13.058 [http-bio-8080-exec-5] WARN  o.s.web.servlet.PageNotFound - Request method 'POST' not supported

When I comment the security filter from the web.xml POST works fine. I tried adding following line to security xml but didn't help.

<intercept-url pattern="/rest**" access="permitAll" />

My web.xml , security filter is and the end which when commented POST start working.

<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
      http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
     version="2.5">

<display-name>Counter Web Application</display-name>

<servlet>
    <servlet-name>mvc-dispatcher</servlet-name>
    <servlet-class>
        org.springframework.web.servlet.DispatcherServlet
    </servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>mvc-dispatcher</servlet-name>
    <url-pattern>/</url-pattern>
</servlet-mapping>

<listener>
    <listener-class>
        org.springframework.web.context.ContextLoaderListener
    </listener-class>
</listener>

<!-- Loads Spring Security config file -->
<context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>
        /WEB-INF/application-security.xml,
        /WEB-INF/application-database.xml
    </param-value>
</context-param>

 <!--Spring Security -->
<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

My application-security.xml

<beans:beans xmlns="http://www.springframework.org/schema/security"
         xmlns:beans="http://www.springframework.org/schema/beans"
         xmlns:security="http://www.springframework.org/schema/security"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">

<security:http security="none" pattern="**/resources/**"/>

<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true">

    <intercept-url pattern="/admin**" access="hasRole('ROLE_ADMIN')" />

    <intercept-url pattern="/rest**" access="permitAll" />

    <!-- access denied page -->
    <access-denied-handler error-page="/access-denied" />

    <form-login
            login-page="/login"
            default-target-url="/admin/dashboard"
            authentication-failure-url="/login?error"
            username-parameter="username"
            password-parameter="password" />
    <logout logout-success-url="/login?logout"  />
    <!-- enable csrf protection -->
    <csrf/>
</http>

<!-- Select users and user_roles from database -->
<authentication-manager>

    <authentication-provider>
        <password-encoder ref="encoder" />
        <jdbc-user-service data-source-ref="dataSource"
                           users-by-username-query="select username,password, enabled from users where username=?"
                           authorities-by-username-query="select username, role from user_roles where username =?" />
    </authentication-provider>

</authentication-manager>

<beans:bean id="encoder" class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder">
    <beans:constructor-arg name="strength" value="10" />
</beans:bean>

My Rest Controller. I have other controllers as well. I have just dummy date here. Tying to get things working first.

    @RestController
    @RequestMapping("/rest/orders")
    public class OrderRestController {

    @Autowired
    private FoodItemService foodItemService;

    @RequestMapping(value = "", method = RequestMethod.POST)
    public Order addOrder(Order orderDto) {
        return orderDto;
    }

    @RequestMapping(value = "", method = RequestMethod.GET)
    public Order getOrder() {
        FoodItem foodItem = foodItemService.findOne(1, Boolean.TRUE);
        Order orderDto = new Order();
        orderDto.setRoomId(23);
        OrderItem orderItem = new OrderItem();
        orderItem.setFoodItem(foodItem);
        orderItem.setAmount(4);
        List<OrderItem> orderItems = new LinkedList<OrderItem>();
        orderItems.add(orderItem);
        orderDto.setOrderItemList(orderItems);
        return orderDto;
    }

Answer 1

Did you try this:

<intercept-url pattern="/rest/**" access="permitAll" />

Answer 2

Issue was csrf being enabled. Should do a further research of disabling csrf and security but for the moment disabling it is the solution.

Answer 3

By giving a look to your controoler, it seems you have 2 methods with no value and they are trying to respond on the URL ..../rest/orders; I'd write it in this way:

@RestController
@RequestMapping("/rest/orders")
public class OrderRestController {

@Autowired
private FoodItemService foodItemService;

@RequestMapping(value = "addOrder", method = RequestMethod.POST)
public Order addOrder(Order orderDto) {
    return orderDto;
}

@RequestMapping(value = "getOrder", method = RequestMethod.GET)
public Order getOrder() {
    FoodItem foodItem = foodItemService.findOne(1, Boolean.TRUE);
    Order orderDto = new Order();
    orderDto.setRoomId(23);
    OrderItem orderItem = new OrderItem();
    orderItem.setFoodItem(foodItem);
    orderItem.setAmount(4);
    List<OrderItem> orderItems = new LinkedList<OrderItem>();
    orderItems.add(orderItem);
    orderDto.setOrderItemList(orderItems);
    return orderDto;
}

after that, if I want to call the addOrder method I'd do a REST call to the URL /rest/orders/addOrder (using POST method), if I want to call the getOrder method, i'd do a REST call to the URL /rest/orders/getOrder. Morevoer I'd pass a parameter (orderId for example) to the getOrder method so I can load the selected order