403 Forbidden When I Try to Post to My Spring API

How to Solve 403 Error in Spring Boot Post Request

you have to disable csrf Protection because it is enabled by default in spring security: here you can see code that allow cors origin.

import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;

public class WebSecurityConfig extends WebSecurityConfigurerAdapter{

protected void configure(HttpSecurity http) throws Exception{

CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;


403 forbidden when I try to post to my spring api?

@EnableWebSecurity enables spring security and it by default enables csrf support, you must disable it in order to prevent 403 errors.

protected void configure(HttpSecurity http) throws Exception {

Or send csrf token with each request.

Note: disabling csrf makes application less secure, best thing to do is send csrf token.

Spring Boot Security module gives 403 error when called by using axios from react but works fine in postman

I think here lies the problem:

.and().cors().configurationSource(request -> corsConfiguration);

You tell spring to permitAll requests to the /authenticate/ endpoint, and require authentication for all the other requests. But from the frontend you're making a request to /CRUD/authenticate/. That's why you get 403, because this path must be authenticated - meaning that the request must already have the Authorization header. I think it should work if you change the first line to this:


Spring Boot 403 forbidden with POST request in Tomcat 9

The problem is with the CORS in my tomcat server.

I have commented below code and it works.

<param-value>http://localhost:9505, http://localhost, www.mydomain.io, http://mydomain.io, mydomain.io</param-value>



spring boot return 403 forbidden when POST request with Keyclaok

I guess that's a problem with CSRF protection that Spring Security enables by default. Try disabling it in your SecurityConfig to make sure that's the case.

protected void configure(HttpSecurity http) throws Exception {
.csrf().disable() // <- THIS LINE

If that's the reason, I recommend to set up proper CSRF protection, as disabling it is time saving in terms of development, but overall is not a good idea in terms of deploying to production.

Related Topics

Leave a reply