How to enable POST, PUT AND DELETE methods in spring security
UPDATE Answer
If you're using Spring security 4, you can disable specific routes easily
http.csrf().ignoringAntMatchers("/nocsrf","/ignore/startswith/**")
If not, you can enable/disable CSRF on specific routes using requireCsrfProtectionMatcher
http.csrf().requireCsrfProtectionMatcher(new RequestMatcher() {
private Pattern allowedMethods = Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$");
private RegexRequestMatcher apiMatcher = new RegexRequestMatcher("/v[0-9]*/.*", null);
@Override
public boolean matches(HttpServletRequest request) {
// No CSRF due to allowedMethod
if(allowedMethods.matcher(request.getMethod()).matches())
return false;
// No CSRF due to api call
if(apiMatcher.matches(request))
return false;
// CSRF for everything else that is not an API call or an allowedMethod
return true;
}
});
ORIGINAL Answer
You got an error because CSRF handling is 'on' by default with Spring Security.
You can disabled it by adding http.csrf().disable();
.
But really, would you leave your application unsecured? I invite you to read this article to protect your application against CSRF, even if your application is based on REST service and not form submission.
Rajan
Java developer with almost 5 years of experience in Software Engineering along with test automation , quality control and delivery pipeline improvement. Previous experience in C++, python and bash and has a broad concept of technology. Carrier Note: Completed my masters in Computer science from Maharishi University, Iowa (June 2017). Available for full time W2 employment. Have experience in health care, commercial, insurance and retail business domain. Solid Java coding, testing, automation, and scripting skills resulting in improved efficiency and clean, bug-free outcomes. Good record working across all phases of software development life cycle (SDLC), utilizing object oriented programming and design techniques. Excellent in engineering the functional and non-functional requirements.
Updated on June 07, 2022Comments
-
Rajan almost 2 years
I developed an application with spring boot, which was working fine. There is a restful controller. I tried to add spring security to some of the pages. The rest controller's endpoint is
/api/greetings
I configured the security settings in the class below.
@Configuration @EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/", "/home","/api/greetings").permitAll() //.antMatchers("/api/greetings","").permitAll()//can't do this .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") .permitAll() .and() .logout() .permitAll(); }
Now, when I tried accessing the Rest endpoint, from a Rest-client(Postman), only the GET method is accessible and i am getting 403 Forbidden response if I try to POST, PUT or DELETE.
{ "timestamp": 1467223888525, "status": 403, "error": "Forbidden", "message": "Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.", "path": "/api/greetings/2" }
How do i solve this issue. I am new to Spring Security things.
-
Rajan almost 8 yearsIs there other way, without disabling the csrf?
-
garthoid about 6 yearsWhen I used http.csrf().disable(); it also disabled all authentication.
-
Devabc almost 5 yearsIf you want to use CSRF protection, then you will have to add a token to your HTTP POST requests. You can do this for example by adding a html input element of type "hidden" to the html forms. You can get the token from the CsrfTokenRepository. See docs.spring.io/spring-security/site/docs/5.1.5.RELEASE/…