Postman 403 Forbidden message
36,029
Enable spring security with @EnableWebSecurity
usage.By default enables csrf
support, you have to disable it to prevent Forbidden errors.
@Override
protected void configure(HttpSecurity http) throws Exception {
http //other configure params.
.csrf().disable();
}
PS: 415 unsupported type --> add to your mapping like this annotation for which type of data is sending from Postman.
@PostMapping(consumes = "application/json")
void addProject(@RequestBody Project newProject) {
projectService.saveProject(newProject);
}
![abc](https://i.stack.imgur.com/lZ9RB.jpg?s=256&g=1)
Author by
abc
Updated on September 26, 2020Comments
-
abc almost 4 years
I made some api with REST Spring. GET request works fine in Postman but when I try to do POST request I receive this error :
{ "timestamp": "2018-09-25T06:39:27.226+0000", "status": 403, "error": "Forbidden", "message": "Forbidden", "path": "/cidashboard/projects" }
This is my controller :
@RestController @RequestMapping(ProjectController.PROJECT_URL) public class ProjectController { public static final String PROJECT_URL = "/cidashboard/projects"; private final ProjectService projectService; public ProjectController(ProjectService projectService) { this.projectService = projectService; } @GetMapping List<Project> getAllProjects(){ return projectService.findAllProjects(); } @GetMapping("/{id}") Project getProjectById(@PathVariable int id) { return projectService.findProjectById(id); } @PostMapping void addProject(@RequestBody Project newProject) { projectService.saveProject(newProject); } }
Security configuration initial I wanted to work with ldap, but in my application properties i left only the conection at database....................................................................................................................................................
@EnableGlobalMethodSecurity @Configuration public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Override protected void configure(HttpSecurity http) throws Exception { http .authorizeRequests() .antMatchers("/css/**").permitAll(); // .anyRequest().fullyAuthenticated(); // .and() // .formLogin().loginPage("/login").permitAll() // .failureUrl("/login-error"); } @Override public void configure(AuthenticationManagerBuilder auth) throws Exception { auth .ldapAuthentication() .userDnPatterns("uid={0},ou=people") .groupSearchBase("ou=groups") .contextSource(contextSource()) .passwordCompare() //.passwordEncoder(new LdapShaPasswordEncoder()) .passwordAttribute("userPassword"); } @Override public void configure(WebSecurity web) throws Exception { web .ignoring() .antMatchers("/resources/static/**"); // #3 } @Bean public DefaultSpringSecurityContextSource contextSource() { return new DefaultSpringSecurityContextSource(Arrays.asList("ldap://localhost:8389/"), "dc=springframework,dc=org"); } }
-
abc almost 6 yearsI added and now i recieve this error : 415 Unsupported Media Type
-
M. Deinum almost 6 yearsSo your actually advice is to make the application less secure only for testing...
-
drowny almost 6 yearsUnsupported media type about your sending type. Which type is sending from postman JSON or whatelse ?
-
drowny almost 6 years@M.Deinum But he ignored the csrf , that means he dont need this token. if he used , csrf support is default .that means he dont wants to csrf token.
-
M. Deinum almost 6 yearsThat is an assumption. The fact that he ignored the csrf token could very well be due to the fact he didn't know that csrf protection is enabled by default. Nonetheless giving the advice to make an application less secure is always a bad answer (imho that is).
-
drowny almost 6 yearsAssumptions but i think true. Of course he can found about csrf usage. I said only how to prevent from this problem. I respect your think , but i dont think this downvote is right totaly. But thanks your suggests and opinions.
-
abc almost 6 yearsDrowny, @Consumes need a special dependency?
-
drowny almost 6 yearsI added new configuration on
PostMapping
to my post. You can use@PostMapping(consumes = "application/json")
-
abc almost 6 yearsI receive this org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL was not normalized.
-
abc almost 6 yearsFinally it work. I have a mistake in database. But work only with .csrf().disable(), and I didn't have to put @Consumes(MediaType.APPLICATION_JSON_VALUE). Thanks a lot!!! :)