4

I see this response when I try to add new post after authorization by admin.

I have Basic authorization which based on spring boot security:

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
    //...declared fields
    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth
                .inMemoryAuthentication()
                .passwordEncoder(passwordEncoder())
                .withUser("user")
                .password("userpass")
                .roles("USER")
                .and()
                .withUser("admin")
                .password("adminpass")
                .roles("ADMIN", "USER");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/login").permitAll()
                .antMatchers("/logout").permitAll()
                .anyRequest().authenticated()
                .and()
                .httpBasic()
                .and().logout().permitAll()
                .and()
                .formLogin()
                .loginProcessingUrl("/login")
                .permitAll()
                .and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                .logoutSuccessUrl("/login");
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

I get this message when try to add new post after authorization:

{
    "timestamp": "2018-07-04T12:19:25.638+0000",
    "status": 403,
    "error": "Forbidden",
    "message": "Forbidden",
    "path": "/post/create"
}

in my controller:

@RestController
public class PostController {
    @Autowired
    private PostDAO postDAO;

    @GetMapping("/posts")
    public Page<Post> getAllPosts(Pageable pageable) {
        return postDAO.findAll(pageable);
    }

    @PostMapping("/post/create")
    public Post createPost(@Valid @RequestBody Post post) {
        return postDAO.save(post);
    }
    //other end-points........
}

However, read operations from my controller work well but to CRUD operation I haven't access.

There are my dependencies:

dependencies {
    compile ('org.springframework.boot:spring-boot-starter-web')
    compile('org.springframework.boot:spring-boot-starter-data-jpa')
    compile('org.hibernate:hibernate-core')
    compile('org.springframework.boot:spring-boot-starter-security')
    runtime('mysql:mysql-connector-java')
    testCompile('org.springframework.boot:spring-boot-starter-test')
    testCompile('org.springframework.security:spring-security-test')
    testCompile('junit:junit')
}

Any idea? Thanks in advance!

Dmitriy S
  • 361
  • 1
  • 5
  • 14

2 Answers2

17

This is due to CSRF enabled. CSRF protection is enabled by default in the Java configuration. We can still disable CSRF using the configuration given below.

http .csrf().disable() .authorizeRequests() .anyRequest().permitAll();

Starting from Spring Security 4.x – the CSRF protection is enabled by default in the XML configuration as well; we can of course still disable it if we need to:

<http>
    ...
    <csrf disabled="true"/>
</http>

Note : CSRF is an attack which forces an end user to execute unwanted actions in a web application in which is currently authenticated.

Sumesh TG
  • 2,557
  • 2
  • 15
  • 29
1

here's why: csrf is automatically enabled in spring security,and I recommended you do not disable csrf. normally your html form tag should include a hidden field which generates csrf token, however, thymeleaf automaticlly do that for you, you should check your html tag to see whether or not a "th:" was included, if not, include a "th:" before "action" in form tag, do this, thymeleaf generates csrf token invisibablly.

chongshun liu
  • 11
  • 1