HttpSecurity POST 403 Forbidden

Question

I'm getting the error 403 Forbidden for the POST endpoint, the others endpoints are working as expected.

I have 4 endpoints and I need to reproduce the authentication behavior:

GET \users - no authentication
GET \details\1 - needs authentication
GET \users\1 needs authentication
POST \users\1 needs authentication

My configuration class:

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

@Override
protected void configure(AuthenticationManagerBuilder auth)
        throws Exception {
    auth.inMemoryAuthentication()
            .passwordEncoder(org.springframework.security
                .crypto.password.NoOpPasswordEncoder.getInstance())
            .withUser("user").password("pwd")
            .roles("USER").and().withUser("admin").password("pwd")
            .roles("USER", "ADMIN");
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .authorizeRequests()
            .antMatchers( "/users").permitAll()
            .anyRequest().authenticated()
            .and()
            .httpBasic();
     }
}

Maven dependency:

 <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-security</artifactId>
  </dependency>

Answer 1

I found this helpful

http.csrf().disable().cors().and().....

Answer 2

I suspect csrf is causing the problem.

If you are not using csrf but still it will be enabled by default. see Cross Site Request Forgery (CSRF) so try disabling csrf protection.

If you enable CSRF in the security, your post requests need to be updated to include some extra information. It explains why GET works, but POST doesn't.

In your case, try disabling it like below, and see if it fixes the problem.

@Override
  protected void configure(HttpSecurity http) throws Exception {
    http
      .csrf().disable();
  }