stackoom
  简体   繁体   中英

spring boot return 403 forbidden when POST request with Keyclaok

 原文  2019-11-23 10:13:32       java/ spring/ spring-boot/ keycloak

Question

I am using Keycloak to authenticate my spring boot application,

I have create a new realm (CommonServices) with a client (chatting-system)

I have this configuration 

keycloak:
  auth-server-url: http://localhost:8083/auth
  realm: CommonServices
  resource: chatting-system
  public-client: true
  principal-attribute: preferred_username
  use-resource-role-mappings: true
  security-constraints[0].authRoles[0]: user
  ssl-required: external

spring:
  data:
    mongodb:
      host: localhost
      port: 27017
      database: Chat
      username: saga
      password: password

  security:
    oauth2:
      resourceserver:
        jwt:
          jwk-set-uri: http://localhost:8083/auth/realms/CommonServices/protocol/openid-connect/certs
          issuer-uri: http://localhost:8083/auth/realms/CommonServices

and I have configured the security as such: 

@KeycloakConfiguration
class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter {

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        KeycloakAuthenticationProvider keycloakAuthenticationProvider = keycloakAuthenticationProvider();
        auth.authenticationProvider(keycloakAuthenticationProvider);
    }

    @Bean
    @Override
    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
        return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        super.configure(http);
        http.authorizeRequests()
                .antMatchers("/**")
                .hasRole("user")
                .anyRequest()
                .authenticated();
    }
}

@Configuration
public class KeycloakConfig {

    @Bean
    public KeycloakSpringBootConfigResolver keycloakConfigResolver() {
        return new KeycloakSpringBootConfigResolver();
    }
}

THE ISSUE

when I access my GET api everything goes fine but

if I access the POST rest API I get 403 forbidden

1 answers

solution1
 1 ACCPTED  2019-11-23 11:14:57

I guess that's a problem with CSRF protection that Spring Security enables by default. Try disabling it in your SecurityConfig to make sure that's the case. 

@Override
protected void configure(HttpSecurity http) throws Exception {
    super.configure(http);
    http
            .csrf().disable() // <- THIS LINE
            .authorizeRequests()
            .antMatchers("/**")
            .hasRole("user")
            .anyRequest()
            .authenticated();
}

If that's the reason, I recommend to set up proper CSRF protection, as disabling it is time saving in terms of development, but overall is not a good idea in terms of deploying to production.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Spring Boot 403 forbidden with POST request in Tomcat 9 Swagger POST return 403 Forbidden Spring boot Spring security Getting a Post 403 Forbidden with Spring Boot (VueJS and Axios Frontend) Spring boot - return 403 Forbidden instead of redirect to login page Spring Boot error 403 when sending request 403 Forbidden - Spring security with spring boot 403 forbidden when I try to post to my spring api? In spring boot, GET request is returning 200 but POST request is returning 403 403 forbidden error with spring boot API call? Websocket in Spring Boot app - Getting 403 Forbidden
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM