Error 403 on Spring Boot web API without Spring Security

Question

I'm building a web API based on Spring Boot with the following POM configuration

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.4.0</version>
        <relativePath />
    </parent>

    <properties>
        <!-- Required section -->
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
        <maven.compiler.target>8</maven.compiler.target>
        <maven.compiler.source>8</maven.compiler.source>
        <java.version>1.8</java.version>
        <java-platform-sdk.version>0.5</java-platform-sdk.version>
        <springdoc.openapi.version>1.4.2</springdoc.openapi.version>
        <springdoc.openapi.maven.plugin.version>1.0</springdoc.openapi.maven.plugin.version>
        <spring.boot.maven.plugin.version>2.1.10.RELEASE</spring.boot.maven.plugin.version>
        <sonar.language>java</sonar.language>
        <sonar.java.coveragePlugin>jacoco</sonar.java.coveragePlugin>
        <sonar.dynamicAnalysis>reuseReports</sonar.dynamicAnalysis>
        <jacoco.version>0.8.3</jacoco.version>
        <sonar.coverage.jacoco.xmlReportPaths>target/jacoco-ut/jacoco.xml</sonar.coverage.jacoco.xmlReportPaths>
        <sonar.host.url>http://10.151.9.50:9000</sonar.host.url>
        <sonar.login>admin</sonar.login>
        <sonar.password>admin</sonar.password>
        <argLine></argLine>
        <!-- /Required section -->
    </properties>

    <dependencies>
        <!-- Required section -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-webflux</artifactId>
            <exclusions>
                <exclusion>
                    <groupId>org.springframework.boot</groupId>
                    <artifactId>spring-boot-starter-logging</artifactId>
                </exclusion>
            </exclusions>
        </dependency>

        <dependency>
            <groupId>org.springframework.retry</groupId>
            <artifactId>spring-retry</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-neo4j</artifactId>
        </dependency>

        <dependency>
            <groupId>org.projectlombok</groupId>
            <artifactId>lombok</artifactId>
            <version>1.18.12</version>
            <scope>provided</scope>
        </dependency>

        <!-- Test -->
        <dependency>
            <groupId>org.junit.vintage</groupId>
            <artifactId>junit-vintage-engine</artifactId>
            <scope>test</scope>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>

        <dependency>
            <groupId>io.projectreactor</groupId>
            <artifactId>reactor-test</artifactId>
            <scope>test</scope>
        </dependency>

        <!-- Log -->
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-log4j2</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springdoc</groupId>
            <artifactId>springdoc-openapi-webflux-ui</artifactId>
            <version>${springdoc.openapi.version}</version>
        </dependency>

    </dependencies>

    <repositories>
        <!-- Required section -->
        <repository>
            <id>central</id>
            <name>Maven Central</name>
            <url>https://repo1.maven.org/maven2/</url>
        </repository>
        <repository>
            <id>spring-releases</id>
            <name>Spring Releases</name>
            <url>https://repo.spring.io/libs-release</url>
        </repository>
        <repository>
            <id>neo4j</id>
            <name>Neo4j</name>
            <url>http://m2.neo4j.org/</url>
        </repository>
        <!-- /Required section -->
    </repositories>

    <build>
        <plugins>
            <!-- Required section -->
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
                <version>${spring.boot.maven.plugin.version}</version>
                <executions>
                    <execution>
                        <id>pre-integration-test</id>
                        <goals>
                            <goal>start</goal>
                        </goals>
                    </execution>
                    <execution>
                        <id>post-integration-test</id>
                        <goals>
                            <goal>stop</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>
            <plugin>
                <groupId>org.springdoc</groupId>
                <artifactId>springdoc-openapi-maven-plugin</artifactId>
                <version>${springdoc.openapi.maven.plugin.version}</version>
                <executions>
                    <execution>
                        <id>integration-test</id>
                        <goals>
                            <goal>generate</goal>
                        </goals>
                    </execution>
                </executions>
                <configuration>
                    <apiDocsUrl>http://localhost:8080/api-docs</apiDocsUrl>
                    <outputFileName>swagger.json</outputFileName>
                    <outputDir>${project.basedir}/../../infrastructure/platform/api</outputDir>
                </configuration>
            </plugin>
            <!-- /Required section -->
        </plugins>
    </build>

</project>

I built verious controller but when I tr to call them with a method which isn't HTTP GET I get a 403 error, looking online it seems that the problem stems from csrf protection but what I can't understand is why this protection is enabled on my project if i haven't imported Spring Boot Security. The link provides even a procedure to disable this unwanted protection but after many attempts of following it I understood that to follow that procedure you have to have the whole Spring Boot Security imported into your project otherwise you get a runtime error or these settings will be ignored but I find strange that I have to import a big chunk of a framework just to disable an unwanted protection and I wanted to know if there's a better way to do that or I made a mistake on the pom.xml since I find and unelegant to import an hevay chunk of framework, and then disable everything of it.

Answer 1

It seems spring security is enabled in your application and you might be having spring security jars in you build path.
Either you can exclude the spring security jars from the build path or try the below Config class to see if that works

@Configuration
public class SecurityConfig  extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable().authorizeRequests().anyRequest().permitAll();
    }
}