Using postman, I can get a list of users with a get request to: http://localhost:8080/users
.
But when I send a post request to the same address, I get a 40
When you use spring boot with spring security and if you are accessing your API's(POST, PUT, DELETE) from Postman or something, they wont be accessible and error is related to authorization like forbidden 403.
So in that case, you have to disabled to csrf functionality to run and test the API from Postman.
The answer provided by @benjamin c is right. You have to add the class with the this configuration will work.
Make sure you are removing this when you add your code in production. CSRF protection is must and you have to keep it in security functionality.
I am just extending his answer for more details by providing complete class details. My requirement was to just test the API from Postman, so I added this class, and able to test the API from Postman.
But after that I have added Spring Junit classes to test my functionalities and removed this class.
@Configuration
@EnableWebSecurity
public class AppWebSecurityConfigurer extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable()
.authorizeRequests()
.anyRequest().permitAll();
}
}
Hope this helps to someone.
403 means you don't have authorization. Even though you commented out your method, your code will still be preconfigured with default security access.
You can add:
http.authorizeRequests()
.antMatchers("/users/**").permitAll();
UPDATE : The configuration with csrf disabled:
http.csrf()
.ignoringAntMatchers("/users/**")
.and()
.authorizeRequests()
.antMatchers("/users/**").permitAll();
@EnableWebSecurity
enables spring security and it by default enables csrf
support, you must disable it in order to prevent 403 errors.
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
}
Or send csrf
token with each request.
Note: disabling csrf
makes application less secure, best thing to do is send csrf
token.
Please configure your http like this ;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
//configureothers if u wants.
.csrf().disable();
}
Please read for more CSRF