发表新帖
发表新帖

spring security 403 error

前端 未结
关注
4 1548
清歌不尽
清歌不尽 2020-12-07 22:38

I\'m trying to secure my website using Spring security following the guides on the web. So on my server side the WebSecurityConfigurerAdapter and controller looks like this<

相关标签:
4条回答
  • 暖寄归人
    2020-12-07 23:03

    The issue is likely due to CSRF protection. If users will not be using your application in a web browser, then it is safe to disable CSRF protection. Otherwise you should ensure to include the CSRF token in the request.

    To disable CSRF protection you can use the following:

    @Configuration
@EnableWebSecurity
public class WebSecurityConfig
    extends WebSecurityConfigurerAdapter implements ApplicationContextAware {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            // ...
            .csrf().disable();
    }

    @Override
    protected void registerAuthentication(AuthenticationManagerBuilder authManagerBuilder) throws Exception {
        authManagerBuilder
            .inMemoryAuthentication()
                .withUser("user").password("password").roles("ADMIN");
    }
}
    0 讨论(0)
  • 清歌不尽
    2020-12-07 23:14

    Check your token which you are sending through 'Header' and also query in your database for the same token whether that token exist or not.

    Note : The above is applicable only in case you are using Spring Boot token authentication mechanism.

    0 讨论(0)
  • 臣服心动
    2020-12-07 23:19

    The issue may be related to CSRF or CORS Security Protection.

    • FOR CSRF: You can disable it if the application users did not use it from browsers.
    • For CORS: You can specify the origin and allow HTTP Methods.

    The below code disable CSRF and allow all origins and HTTP methods. so be aware when using it.

    @Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter  implements WebMvcConfigurer {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
    }

    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**").allowedMethods("*");
    }

}
    0 讨论(0)
  • 不知归路
    2020-12-07 23:22

    I've been looking for days too! Simply disabling CSRF on your configure method with http.csrf().disable(); is all that needed to be done for my put requests to stop receiving 403.

    0 讨论(0)
 看不清?
提交回复
热议问题