403 Forbidden When I Try to Post to My Spring API

How to Solve 403 Error in Spring Boot Post Request

you have to disable csrf Protection because it is enabled by default in spring security: here you can see code that allow cors origin.

import org.springframework.context.annotation.Bean;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;

@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter{

    @Override
    protected void configure(HttpSecurity http) throws Exception{
        http.cors().and().csrf().disable();
    }

    @Bean
    CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.setAllowedOrigins(Arrays.asList("*"));
        configuration.setAllowedMethods(Arrays.asList("*"));
        configuration.setAllowedHeaders(Arrays.asList("*"));
        configuration.setAllowCredentials(true);
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }

}

403 forbidden when I try to post to my spring api?

@EnableWebSecurity enables spring security and it by default enables csrf support, you must disable it in order to prevent 403 errors.

@Override
protected void configure(HttpSecurity http) throws Exception {
     http.csrf().disable();
}

Or send csrf token with each request.

Note: disabling csrf makes application less secure, best thing to do is send csrf token.

Spring Boot Security module gives 403 error when called by using axios from react but works fine in postman

I think here lies the problem:

http
    .csrf().disable().authorizeRequests().antMatchers("/authenticate/")
    .permitAll().anyRequest().authenticated()
    .and().exceptionHandling().and().sessionManagement()
    .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
    .and().cors().configurationSource(request -> corsConfiguration);

You tell spring to permitAll requests to the /authenticate/ endpoint, and require authentication for all the other requests. But from the frontend you're making a request to /CRUD/authenticate/. That's why you get 403, because this path must be authenticated - meaning that the request must already have the Authorization header. I think it should work if you change the first line to this:

.csrf().disable().authorizeRequests().antMatchers("/CRUD/authenticate/")

Spring Boot 403 forbidden with POST request in Tomcat 9

The problem is with the CORS in my tomcat server.

I have commented below code and it works.

<filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
  <init-param>
            <param-name>cors.allowed.origins</param-name>
            <param-value>http://localhost:9505, http://localhost, www.mydomain.io, http://mydomain.io, mydomain.io</param-value>
    </init-param>

</filter>
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

Thanks

spring boot return 403 forbidden when POST request with Keyclaok

I guess that's a problem with CSRF protection that Spring Security enables by default. Try disabling it in your SecurityConfig to make sure that's the case.

@Override
protected void configure(HttpSecurity http) throws Exception {
    super.configure(http);
    http
            .csrf().disable() // <- THIS LINE
            .authorizeRequests()
            .antMatchers("/**")
            .hasRole("user")
            .anyRequest()
            .authenticated();
}

If that's the reason, I recommend to set up proper CSRF protection, as disabling it is time saving in terms of development, but overall is not a good idea in terms of deploying to production.


Related Topics

@Autowired - No Qualifying Bean of Type Found for Dependency

How to Have Empty Requestparam Values Use the Defaultvalue

Utf-8 Encoding of Application.Properties Attributes in Spring-Boot

Spring Boot Rest API Returns 404

How to Return a Select Query from JPA Repository With Foreign Key Type

How to Prevent Xss Attacks or Untrusted Data in Rest API Json Using Java

How to Remove Line Breaks from a File in Java

Get Requestbody and Responsebody At Handlerinterceptor

Counting Unique Characters in a String

Spring Data Jpa- No Bean Named 'Entitymanagerfactory' Is Defined; Injection of Autowired Dependencies Failed

How to Get Value from a Disabled Text Field When the Value Is Not Present in Id or in Any Attribute Using Java in Selenium Webdriver

How to Pass External Jar File to Spring Boot Project

How to Format a String Number to Have Commas and Round

Netbeans Tomcat Build Failed - the Module Has Not Been Deployed

Error: Java: Invalid Target Release: 11 - Intellij Idea

Java Classnotfoundexception With Maven Dependency

Java - Check If Jtextfield Is Empty or Not

How to Multiply a and B With My Recursive Method


Leave a reply



Submit