CODEWITHSUNDEEP
javaspringspring-bootspring-mvc
zilcuanu
zilcuanu

Reputation: 3715

Spring security POST method throwing 403 error

I am building a user registration form. I have POST endpoint for registration and I am able to successfully register.

I have another endpoint called /invalid-token which is also mappped to POST mapping. I have added both of the endpoints to permitAll rules as below:

 http.authorizeRequests()
     .antMatchers(
         "/register",
         "/confirm",
         "/invalid-token",
         "/registration-success")
     .permitAll()
     .anyRequest()
     .authenticated();

When I make a POST request to the invalid-token from the browser, I am getting a 403. I am not understanding where I am going wrong. 

Response Status:
        General:
        Request URL: http://localhost:8081/invalid-token
        Request Method: POST
        Status Code: 403 
        Remote Address: [::1]:8081
        Referrer Policy: no-referrer-when-downgrade



  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
   Content-Length: 0
   Date: Tue, 23 Apr 2019 05:14:30 GMT
   Expires: 0
   Pragma: no-cache
   X-Content-Type-Options: nosniff
   X-Frame-Options: DENY
   X-XSS-Protection: 1; mode=block

Upvotes: 1

Views: 782

Answers (1)

ScanQR
ScanQR

Reputation: 3820

I would recommend you to follow standard API definitions when defining micro services.

Issue could be the pattern you have defined i.e. /invalid-token

CSRF disable worked because in your API URL the pattern /invalid-token has special character which I guess allowed by SpringSecurity.

When CSRF is enabled than some how - is causing spring security to mark it as 403.

You can try with pattern /invalid/token and even with CSRF enabled and it should get required behaviour.

Upvotes: 3

Related Questions