Dharita Chokshi
Reputation: 1263
403 response for POST/PUT/DELETE request in spring boot + spring security application
I am using spring security in my spring boot rest app. Get requests are working fine but POST/PUT/DELETE request are giving "403 Forbidden". Below is my code snippet. UI is in Angular 6
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private UserService userService;
@Override
protected void configure(HttpSecurity http) throws Exception {
CustomAuthorizationFilter customAuthorizationFilter = new CustomAuthorizationFilter(authenticationManager());
customAuthorizationFilter.setUserService(userService);
http.cors().and().authorizeRequests().anyRequest().authenticated().and().addFilter(customAuthorizationFilter);
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/v2/api-docs", "/configuration/ui", "/swagger-resources", "/configuration/security",
"/swagger-ui.html", "/webjars/**");
}
@Bean
public CorsConfigurationSource corsConfigurationSource() {
final CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList("*"));
configuration.setAllowedMethods(Arrays.asList("HEAD", "GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"));
// setAllowCredentials(true) is important, otherwise:
// The value of the 'Access-Control-Allow-Origin' header in the response must
// not be the wildcard '*' when the request's credentials mode is 'include'.
configuration.setAllowCredentials(true);
// setAllowedHeaders is important! Without it, OPTIONS preflight request
// will fail with 403 Invalid CORS request
configuration.setAllowedHeaders(ImmutableList.of("Authorization", "Cache-Control", "Content-Type"));
final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
}
Browser response:
Upvotes: 4
Views: 6472
Answers (1)
Dharita Chokshi
Reputation: 1263
Disable csrf in config
http.csrf().disable().cors().and().....
Upvotes: 10
Related Questions
- 403 Forbidden while doing delete request. Spring boot rest api
- DELETE 403 (Forbidden) error spring-mvc and rest implementation
- 403 forbidden when I try to post to my spring api?
- "status": 403, "error": "Forbidden", "message": "Forbidden", "path": "/post/create"
- Spring security POST method throwing 403 error
- 403 forbidden error when using Spring boot - security
- Spring boot default security enabled : Rest Service GET is working fine PUT and POST failing with 403 error
- Spring Security- Allows GET but not POST
- spring security with angular2 giving 403 forbidden error only on POST,PUT and delete
- Spring Security for rest application. POST always return 403 code