Why does Spring Security always respond with 403 Forbidden on all form Posts?
Question
I'm putting together a simple website using spring-boot (v2.1.3) and spring-mvc. It was working well until I added spring-security by including the spring-boot-starter-security dependency and adding an implementation of WebMvcConfigurer. Everything worked fine, including the default login and logout views, but all other forms respond with 403-Forbidden on POST's.
The bulk of the guidance I've seen involves csrf protection. Ultimately, you want to include csrf tokens in your form, but the simplest advice is to disable csrf protection completely (http.csrf.disable()). Adding that to the security configuration had no effect.
Here is my WebMvcConfigurer implementation...
@EnableWebSecurity
public class WebSecurityConfig implements WebMvcConfigurer {
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin()
.and()
.httpBasic()
.and()
.csrf().disable();
}
@Bean
public UserDetailsService userDetailsService() throws Exception {
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build());
return manager;
}
}
Looking for any assistance on basic spring security configuration as it relates to form POST's.
1 answers
solution1
0 ACCPTED 2019-06-09 08:29:17
Implement WebSecurityConfigurer instead of WebMvcConfigurer
@Configuration
public class WebSecurityConfig extends WebSecurityConfigurer {
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.