403 Forbidden - Spring security with spring boot

Question

I have my spring boot application and I'm trying to add spring security but when I do a request through postman I keep getting a 403 Forbbiden, Online I found I shoud add: ".csrf().disable()" to my configure but it didn't work (Everithing works if I put the method with path: "person/**" in the permitAll())

here my code:

@Data
@AllArgsConstructor
@NoArgsConstructor
@Document("User")
public class User {
    @Id
    private String id;
    private String name;
    private String password;
    private String email;
    private Set<UserRole> roles;
}

public class SecurityConfig extends WebSecurityConfigurerAdapter {
    private final UserDetailsService userDetailsService;
    private final BCryptPasswordEncoder encoder;
  @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        auth.userDetailsService(userDetailsService).passwordEncoder(encoder);}

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        log.info("HttpSecurity: {}",http);
        http.authorizeRequests()
                .antMatchers( "/user/saveUser").permitAll()
                .antMatchers("/person/**").hasAnyRole()
                .and().csrf().disable().cors().disable();}
}

public class UserService implements UserDetailsService{
    private final UserRepository userRepo;
    private final BCryptPasswordEncoder passwordEncoder;

    @Override
    public UserDetails loadUserByUsername(String email) throws UsernameNotFoundException {
        log.info("mail request: {}",email);
        Optional<User> opt = userRepo.findUserByEmail(email);
        log.info("Find user: {}", opt);
        org.springframework.security.core.userdetails.User springUser=null;

        if(opt.isEmpty()) {
            throw new UsernameNotFoundException("User with email: " +email +" not found");
        }else {
            User user =opt.get();
            Set<UserRole> roles = user.getRoles();
            Set<GrantedAuthority> grantedAuthorities = new HashSet<>();
            for(UserRole role:roles) {
                grantedAuthorities.add(new SimpleGrantedAuthority(role.name()));
            }
            springUser = new org.springframework.security.core.userdetails.User(
                    email,
                    user.getPassword(),
                    grantedAuthorities );

        }
        return springUser;
    }

My controller for User:

    @RestController
    @RequestMapping("user")
public class UserController {
    private final UserService userService;
    @PostMapping("/saveUser")
    public ResponseEntity<String> saveUser(@RequestBody User user) {
        log.info("Registering User: {}", user);
        userService.saveUser(user);
        return ResponseEntity.ok("registered User");
    }
}

My person controller: (method whereI get 403) @RestController
@RequestMapping("person") public class PersonController { @Autowired PersonService personService; @GetMapping("/getAll") public ResponseEntity<List> getAll() throws IOException { return ResponseEntity.ok(PersonService.findAll()); }

This is first time I use spring security, I followed a tutorial online but I realy can't figure out why evetime I put my request in security it still get 403 Forbidden

Answer 1

I think you might need to add @Configuration and @EnableWebSecurity annotations to your SecurityConfig class, because spring-security can't see your security configuration without them.

See reference documentation: https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/config/annotation/web/configuration/EnableWebSecurity.html

Mind also, that WebSecurityConfigurerAdapter was deprecated since 5.7.0-M2, so you might consider creating a bean of type SecurityFilterChain to configure security in your app if you use later versions of spring-security.