Postman 403 Forbidden message

Question

I made some api with REST Spring. GET request works fine in Postman but when I try to do POST request I receive this error :

{
    "timestamp": "2018-09-25T06:39:27.226+0000",
    "status": 403,
    "error": "Forbidden",
    "message": "Forbidden",
    "path": "/cidashboard/projects"
}

This is my controller :

@RestController
@RequestMapping(ProjectController.PROJECT_URL)
public class ProjectController {

    public static final String PROJECT_URL = "/cidashboard/projects";

    private final ProjectService projectService;

    public ProjectController(ProjectService projectService) {
        this.projectService = projectService;
    }

    @GetMapping
    List<Project> getAllProjects(){
        return projectService.findAllProjects();
    }

    @GetMapping("/{id}")
    Project getProjectById(@PathVariable int id) {
        return projectService.findProjectById(id);
    }

    @PostMapping
    void addProject(@RequestBody Project newProject) {
        projectService.saveProject(newProject);
    }
}

Security configuration initial I wanted to work with ldap, but in my application properties i left only the conection at database....................................................................................................................................................

@EnableGlobalMethodSecurity
@Configuration
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/css/**").permitAll();
//                .anyRequest().fullyAuthenticated();
//                .and()
//                .formLogin().loginPage("/login").permitAll()
//                .failureUrl("/login-error");
    }

    @Override
    public void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .ldapAuthentication()
                .userDnPatterns("uid={0},ou=people")
                .groupSearchBase("ou=groups")
                .contextSource(contextSource())
                .passwordCompare()
                //.passwordEncoder(new LdapShaPasswordEncoder())
                .passwordAttribute("userPassword");
    }

    @Override
    public void configure(WebSecurity web) throws Exception {
        web
                .ignoring()
                .antMatchers("/resources/static/**"); // #3
    }

    @Bean
    public DefaultSpringSecurityContextSource contextSource() {
        return new DefaultSpringSecurityContextSource(Arrays.asList("ldap://localhost:8389/"), "dc=springframework,dc=org");
    }
}

Answer 1

I I was also getting the same error. I found the solution using a different application, not postman {Insomnia REST Client}. When I went back to postman after wondering, I realized that it is related to permissions in spring security. So after setting the permissions it will work.

Answer 2

In case you want to solve this issue without compromising security, you can send the xsrf-token with your request in postman.

1. Create a new environment in Postman (e.g. "local").
2. Create a new variable in this environment (e.g. "xsrf-token")
3. Go back to your request and make sure the right environment is selected on the top right corner ("local" in this case)
4. In your POST request, add a header with key "X-XSRF-TOKEN" and value "{{csrf-token}}"
5. In the "tests" tab, add following code:

var xsrfCookie = pm.cookies.get('XSRF-TOKEN')
pm.environment.set("xsrf-token", xsrfCookie)

The first time you make this request, you will still get a 403, but you'll also receive a cookie with the xsrf-token. The script will copy this token in the environment variable and the next requests you'll make use the appropriate token.

Answer 3

Check the "User-Agent" included in Headers section, If not add the "User-Agent" field

Answer 4

Enable spring security with @EnableWebSecurity usage.By default enables csrf support, you have to disable it to prevent Forbidden errors.

@Override
protected void configure(HttpSecurity http) throws Exception {
     http       //other configure params.
         .csrf().disable();
}

PS: 415 unsupported type --> add to your mapping like this annotation for which type of data is sending from Postman.

@PostMapping(consumes = "application/json")
void addProject(@RequestBody Project newProject) {
    projectService.saveProject(newProject);
}