CODEWITHSUNDEEP
angularspring-bootspring-securityoauth-2.0openid-connect
NyxRL
NyxRL

Reputation: 31

Springboot Angular security - 403 forbidden on REST calls

We have a Springboot 2.0.x and Angular 6 multi module application, using OpenID Connect 1.0 implementation of OAuth2 standard as security. Initial security works, authenticates and authorizes, and lands on the Home page. But for some reason, our POST and DELETE REST calls are getting 403 Forbidden status codes, for authenticated and authorized users. GET calls are unaffected, still works.

Does anybody have any idea on any reason for this? We don't have any roles made that filters what any user can do. Just that all Users, once authenticated and authorized will be able to POST, DELETE, and GET.

Here's the SecurityConfig:

@Override
public void configure(WebSecurity web) throws Exception {
    System.out.println("Error!!/resources/**");
    web.ignoring().antMatchers("/resources/**");
}

@Bean
public OpenIdConnectFilter myFilter() {
    final OpenIdConnectFilter filter = new OpenIdConnectFilter("/auth/sso/callback");
    filter.setRestTemplate(restTemplate);
    return filter;
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    // @formatter:off
    http
    .addFilterAfter(new OAuth2ClientContextFilter(), AbstractPreAuthenticatedProcessingFilter.class)
    .addFilterAfter(myFilter(), OAuth2ClientContextFilter.class)
    .httpBasic().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/auth/sso/callback"))
    // .httpBasic().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/google-login"))
    .and()
    .authorizeRequests()
    .antMatchers("/errorPage").permitAll()
    .anyRequest().authenticated()
    ;
    // @formatter:on
}

POST signature: 

@PostMapping("/spreadsheet/upload/{uploader}/{filename}")
public ResponseEntity<?> uploadSpreadsheet(@RequestBody MultipartFile file, @PathVariable("uploader") String uploader, @PathVariable("filename") String filename) {

DELETE signature:

@DeleteMapping("/spreadsheet/{uploader}/{filename}")
public ResponseEntity<?> deleteUploadedSpreadsheet(@PathVariable(value = "uploader") String uploader, @PathVariable String filename) {

Upvotes: 1

Views: 3598

Answers (1)

NyxRL
NyxRL

Reputation: 31

Found the culprit, it was due to CSRF, didnt know that it was configured and enabled by default. once we disabled that, by adding, 

 .and().csrf().disable()

in 

@Override
protected void configure(HttpSecurity http) throws Exception {
    // @formatter:off
    http
    .addFilterAfter(new OAuth2ClientContextFilter(), AbstractPreAuthenticatedProcessingFilter.class)
    .addFilterAfter(myFilter(), OAuth2ClientContextFilter.class)
    .httpBasic().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/auth/sso/callback"))
    // .httpBasic().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/google-login"))
    .and()
    .authorizeRequests()
    .antMatchers("/errorPage").permitAll()
    .anyRequest().authenticated()
    .and().csrf().disable()
    ;
    // @formatter:on
}

POST and DELETE worked again. but of course, this solution is disabling this part of security. but, now that we know, we'll just configure csrf to work for the app w/o forbidding POST and DELETE.

Thanks

Upvotes: 2

Related Questions