-1

in postman when i entered my post request with Authorization and token value, then it works, however when i wanted to check it with axios it gives me 403 Http error (i've already provided authorization header in axios). (My token with Bearer is localStorage.getItem("CurrentUser")}) i am putting my axios below (when i checked token and request string, they both totally same with postman):

        try {
      
        await axios.post("http://localhost:8080/admins/post/" + allemployees[index].id,
        
        { headers:  {'Authorization': localStorage.getItem("CurrentUser")} });



    }

i also put my security.config, maybe problem was there:

@Configuration
@EnableWebSecurity
public class SecurityConfig{


private JwtAuthenticationEntryPoint handler;


@Bean
public PasswordEncoder passwordEncoder() {
    return new BCryptPasswordEncoder();
}


@Bean
public AuthTokenFilter jwtAuthenticationFilter() {
    return new AuthTokenFilter();
}

@Bean
public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception {
    return authenticationConfiguration.getAuthenticationManager();
}

@Bean
public CorsFilter corsFilter() {
    UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
    CorsConfiguration config = new CorsConfiguration();
    config.setAllowCredentials(true);
    config.setAllowedOrigins(List.of("http://localhost:3000"));
    config.addAllowedHeader("*");
    config.addAllowedMethod("*");
    source.registerCorsConfiguration("/**", config);
    return new CorsFilter(source);
}

@Bean
public SecurityFilterChain configure(HttpSecurity httpSecurity) throws Exception {
    httpSecurity
        .cors()
        .and()
        .csrf().disable()
        .exceptionHandling().authenticationEntryPoint(handler).and()
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
        .authorizeRequests()
        .antMatchers("/api/**")
        .permitAll()
        .anyRequest().authenticated()
        .and()
        .logout()
        .logoutRequestMatcher(new AntPathRequestMatcher("/logout", "POST"))
        .logoutSuccessUrl("http://localhost:3000/")
        .invalidateHttpSession(true);
        
    httpSecurity.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
    
    
    return httpSecurity.build();
}

}

How can i solve this problem? Thank you.

aenes
  • 21
  • 5
  • Maybe you forgot to add the `Bearer` prefix while adding the token to the header in axios? – fatih Aug 22 '22 at 22:03
  • actually, in localstorage i stored it with Bearer prefix already. when i check, i can see it with Bearer. – aenes Aug 22 '22 at 22:30
  • storing tokens in localStorage is extremly unsecure, also Spring already has a built in JWTFilter so please motivate why you are building a custom filter? – Toerktumlare Aug 22 '22 at 23:10

1 Answers1

1

Because Postman does not enforce CORS so that is why it works. To enable CORS, please check here;

https://enable-cors.org/server.html

muhammed ozbilici
  • 667
  • 6
  • 17
  • Thank you for reply, in the below page i tried 2nd option to put @CrossOrigin for enabling cors to the controller. https://www.baeldung.com/spring-cors also i put to config class cors part addallowedorigins as well. (in setallowed origins, i added ("http localhost"). however both of them does not work. – aenes Aug 22 '22 at 20:55
  • i now also put some proposals defined as here: https://stackoverflow.com/questions/36968963/how-to-configure-cors-in-a-spring-boot-spring-security-application such as setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "PUT","OPTIONS","PATCH", "DELETE")); but did not work – aenes Aug 22 '22 at 21:21
  • please do not say just "it doesnt work". That doesn't help anyone. If you do something you need to describe exactly what you have done by updating your code in the first question and and post all the errrors/logs you get. None of us here can help you if you just say "it doesnt work". And Dont post code in comments, update your first question! where are your debug logs for spring, where are your console logs, where is the actual request. None of us can reproduce what you have posted – Toerktumlare Aug 22 '22 at 23:07