Delete method displays "forbidden" message

Question

I am testing a Spring-boot application that allow me to delete database contents. I gave temporarily access to all endpoints in my configurations:

 @Override
  protected void configure(HttpSecurity http) throws Exception {
      //Allow access to all endpoints
        http.cors().and().authorizeRequests().anyRequest().permitAll(); 
  }

And properties are :

spring.datasource.url=jdbc:mariadb://localhost:3307/cardb
spring.datasource.username=root
spring.datasource.password=******
spring.datasource.driver-class-name=org.mariadb.jdbc.Driver

spring.jpa.generate-ddl=true
spring.jpa.hibernate.ddl-auto=create-drop

spring.jpa.show-sql=true

spring.data.rest.basePath=/api

Then I can get the content from the database by using the GET method in the app or from Postman But I do get:

{ "timestamp": "2019-05-11T17:57:36.310+0000", "status": 403, "error": "Forbidden", "message": "Forbidden", }

when I try to delete with DELETE method.

Why do I have this error and how can I get the authorization to finally be able to delete objects from the database ?

Answer 1

You should disable the CSRF (Cross-Site Request Forgery) which is enabled by default for any method that modify state (PATCH, POST, PUT, and DELETE – not GET):

@Override
protected void configure(HttpSecurity http) throws Exception {
     //Allow access to all endpoints
     http.csrf().disable().cors().and().authorizeRequests().anyRequest().permitAll(); 
}