Reputation: 2421
Spring Security HTTP 403 Forbidden
I've been trying to secure a rest-api resource. However, it seems that the /auth/** REST-API always throws 403 Forbidden even though i have permitted it on the configuration. see below
@Override
protected void configure(HttpSecurity http) throws Exception {
logger.info("Setting Endpoint Security.");
http
.authorizeRequests()
.antMatchers("/auth/**").permitAll()
.anyRequest().authenticated()
.and()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.csrf().disable();
}
This is on the WebSecurityConfigclass extending WebSecurityConfigurerAdapter
Here is the spring security debug logs
2018-11-18 20:14:27.923 INFO 8476 --- [nio-8080-exec-1] Spring Security Debugger :
************************************************************
Request received for POST '/api/v1/auth/login':
org.apache.catalina.connector.RequestFacade@1a183946
servletPath:/api/v1
pathInfo:/auth/login
headers:
content-type: application/x-www-form-urlencoded
cache-control: no-cache
postman-token: 5bd56859-b8e9-4ebf-977c-452f1bce837e
user-agent: PostmanRuntime/7.4.0
accept: */*
host: localhost:8080
cookie: JSESSIONID=D80F964AA5B53DC7F20ACF59606FA719
accept-encoding: gzip, deflate
content-length: 29
connection: keep-alive
Security filter chain: [
WebAsyncManagerIntegrationFilter
SecurityContextPersistenceFilter
HeaderWriterFilter
LogoutFilter
RequestCacheAwareFilter
SecurityContextHolderAwareRequestFilter
AnonymousAuthenticationFilter
SessionManagementFilter
ExceptionTranslationFilter
FilterSecurityInterceptor
]
************************************************************
and here is the resource i am trying to access
@Path("/auth")
@Component
public class Auth {
private static final Logger logger = LoggerFactory.getLogger(Auth.class);
@POST
@Path("/login")
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
public Response login(@FormParam("username") String user,
@FormParam("password") String pass) {
logger.info("Form-data [username] {}",user);
logger.info("Form-data [password] {}",pass);
return Response.ok().build();
}
@POST
@Path("/logout")
@Produces({ MediaType.APPLICATION_JSON })
public String logout() {
return "Login!";
}
}
Just so we are clear, i am using Jersey + Spring Boot
Here is Jersey Config
@Configuration
@ApplicationPath("api/v1")
public class JerseyConfig extends ResourceConfig{
public JerseyConfig() {
}
@PostConstruct
public void setUp() {
register(Wish.class);
register(Auth.class);
register(User.class);
register(GenericExceptionMapper.class);
}
}
Now, as what i understand on the http method series in configuremethod.
First, http auhthorizes request, matches /auth/** and permits it, other requests needs to be authorized. However, when i try requesting http://localhost:8080/api/v1/auth/login it always returns 403 Forbidden.
Can somebody point out the mistakes or maybe my understanding is not correct.
Upvotes: 0
Views: 3274
Answers (1)
Reputation: 4475
your configuration only permit http://localhost:8080/auth/** not http://localhost:8080/api/v1/auth/**,
so change it to something like:
.antMatchers("/api/v1/auth/**").permitAll()
it should be the first one in the order
Upvotes: 2
Related Questions
- 403 Forbidden when introducing authorization on spring boot rest
- Spring security always returns HTTP 403
- HTTP 403 forbidden error in spring boot security
- 403 forbidden - Spring Security
- Spring Security Always returning 403 forbidden, Access denied
- How to fix 403 forbidden in Spring security and Spring data JPA with Jersey rest
- spring security Rest API error -403 forbidden
- Spring security - Getting 404 error for REST call
- Spring Rest-API - 403 forbidden error response
- HTTP Status 403 - Access is denied Spring security