RK_developer
Reputation: 1
Getting 403 Forbidden for Internal XHR Requests
`@EnableWebSecurity
@Configuration
public class SecurityConfiguration extends VaadinWebSecurity {
private final AdminLoginDetailService adminLoginDetailService;
public SecurityConfiguration(final AdminLoginDetailService adminLoginDetailService) {
this.adminLoginDetailService = adminLoginDetailService;
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf(csrf -> csrf
.ignoringRequestMatchers(
"/admin/**", "/admin/trading-accounts", "/admin/algoSignals", "/vaadinServlet/**", "/VAADIN/**", "/frontend/**", "/frontend-es5/**", "/frontend-es6/**") // Allow Vaadin endpoints
)
.authorizeRequests(auth -> auth
.requestMatchers(request -> HandlerHelper.isFrameworkInternalRequest("/*", request)).permitAll()
.requestMatchers("/admin/trading-accounts", "/admin/algoSignals").authenticated()
.requestMatchers("/vaadinServlet/**", "/VAADIN/**").permitAll()
.anyRequest().permitAll()
)
.formLogin(form -> form
.loginPage("/admin/login")
.defaultSuccessUrl("/admin/trading-accounts", true)
.failureUrl("/admin/login?error=true")
.permitAll()
);
setLoginView(http, LoginView.class);
}
@Bean
public AuthenticationManager authenticationManager(AuthenticationConfiguration authConfig) throws Exception {
return authConfig.getAuthenticationManager();
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().requestMatchers(
"/VAADIN/**",
"/v-r/**",
"/favicon.ico",
"/manifest.json",
"/icons/**",
"/images/**",
"/frontend/**",
"/webjars/**",
"/frontend-es5/**", "/frontend-es6/**"
);
super.configure(web);
}
}
`
I’m working on a Spring Boot application using Vaadin for the frontend and Spring Security for authentication. I'm encountering an issue where Vaadin's internal XHR requests are being blocked with a 403 Forbidden error after login.
`
The error details from the browser console are as follows:
FlowClient-341d667e.js:3 POST http://localhost:8085/?v-r=uidl&v-uiId=3 403 (Forbidden)
FlowClient-341d667e.js:1 Server returned 403 for xhr
FlowClient-341d667e.js:1 Reconnecting because of XHR failure
FlowClient-341d667e.js:1 Reconnect attempt 1 for XHR
FlowClient-341d667e.js:3 Re-sending last message to the server...
FlowClient-341d667e.js:1 Sending xhr message to server: {"csrfToken":"f1fea950-67a6-4c85-9760-3c5b43b27602",
"rpc":[{"type":"publishedEventHandler","node":1,"templateEventMethodName":"connectClient",
"templateEventMethodArgs":["admin/login","","",null,""],"promise":0}],"syncId":0,"clientId":0}`
What I’ve Tried 1.Disabling CSRF entirely: http.csrf(AbstractHttpConfigurer::disable);
2.Configuring CSRF to ignore specific Vaadin endpoints:
`http.csrf(csrf -> csrf
.ignoringRequestMatchers(
"/admin/**", "/admin/trading-accounts", "/admin/algoSignals", "/vaadinServlet/**", "/VAADIN/**", "/frontend/**", "/frontend-es5/**", "/frontend-es6/**")
);`
3.Allowing Vaadin internal requests using HandlerHelper.isFrameworkInternalRequest:
`authorizeRequests(auth -> auth
.requestMatchers(request -> HandlerHelper.isFrameworkInternalRequest("/*", request)).permitAll()
.requestMatchers("/admin/trading-accounts", "/admin/algoSignals").authenticated()
.anyRequest().permitAll()
);
`
This also doesn’t resolve the problem.
Upvotes: 0
Views: 42
Answers (0)
Related Questions
- How to fix "403 Forbidden" errors when calling APIs using Python requests?
- 403 Forbidden vs 401 Unauthorized HTTP responses
- Nginx 403 forbidden for all files
- Why is Angular not sending cookies with a POST request even though I've set withCredentials to true?
- Security configuration with Spring-boot
- Nginx 403 error: directory index of [folder] is forbidden
- 403 Forbidden - Spring security with spring boot
- Apache VirtualHost 403 Forbidden
- Spring boot security consider case insensitive username check for login