Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

401 Unauthorized on POST endpoint in Spring Boot (MVC) application #26

Open
ashishrky opened this issue Mar 30, 2023 · 8 comments
Open

401 Unauthorized on POST endpoint in Spring Boot (MVC) application #26

ashishrky opened this issue Mar 30, 2023 · 8 comments

Comments

@ashishrky
Copy link

Hi, I am using Spring Boot 3 and Spring Security 6 and following the sample https://github.com/auth0-samples/auth0-spring-security5-api-sample/tree/use-spring-6/01-Authorization-MVC. Tutorial works well until I try with GET endpoints. But the moment I built a POST endpoint and call it, I get 401 Unauthorized error in postman even though this is configured to be permitted in SecurityConfig.java. Here is the link to my code changes https://github.com/ashishrky/auth0-spring-security5-api-sample/commit/8bf9866a7a18fb9d2e0c78f1950725f2f42eaee2. What’s wrong? Why GET call work just fine, but POST call get 401?

Posted in Auth0 community as well at https://community.auth0.com/t/401-unauthorized-on-post-endpoint-in-spring-boot-mvc-application/103716
@VANDRESSAGALDINOS
Copy link

"hi, I have exactly the same problem, did you manage to solve yours?"

@mraible
Copy link

mraible commented Apr 20, 2023

If you turn up the logging for Spring Security in application.yml:

logging:
  level:
    org.springframework.security.web: DEBUG

You'll see the error when you try to do a POST:

2023-04-20T10:24:21.166-06:00 DEBUG 15786 --- [nio-3010-exec-1] o.s.security.web.FilterChainProxy        : Securing POST /api/public/post
2023-04-20T10:24:21.184-06:00 DEBUG 15786 --- [nio-3010-exec-1] o.s.security.web.csrf.CsrfFilter         : Invalid CSRF token found for http://localhost:3010/api/public/post
2023-04-20T10:24:21.184-06:00 DEBUG 15786 --- [nio-3010-exec-1] o.s.s.w.access.AccessDeniedHandlerImpl   : Responding with 403 status code
2023-04-20T10:24:21.186-06:00 DEBUG 15786 --- [nio-3010-exec-1] o.s.security.web.FilterChainProxy        : Securing POST /error
2023-04-20T10:24:21.189-06:00 DEBUG 15786 --- [nio-3010-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext

If you disable CSRF in SecurityConfig.java, everything will work:

http.csrf().disable();

Here's proof:

Screenshot 2023-04-20 at 10 34 50 AM

@paulsofts
Copy link

CSRF (Cross-Site Request Forgery) is a type of attack on web applications. It happens when an attacker tricks a user into doing something they didn't intend to do on a different website where they are already logged in. Spring Boot Security uses CSRF protection to stop these tricks and keep your application safe.

In the above example, an authorized user has access only to the GetMapping method. That's why, as soon as they try to request the application with the PostMapping method, due to this CSRF, they get an unauthorised message. If we disable it, the post-mapping methods will work fine.

@jo1o3o
Copy link

jo1o3o commented Feb 15, 2024

So how do you still get CSRF protection while still being able to interact with the REST server? Is it just simple as disabling csrf for development and enabling it for production?

@Siddhnak
Copy link

SecurityFilterChain securityFilterChain(HttpSecurity http)throws Exception{ http.csrf((csrf) -> csrf.disable()) .authorizeHttpRequests((authorize)->{ authorize.requestMatchers(HttpMethod.POST,"/api/**").hasRole("ADMIN"); authorize.requestMatchers(HttpMethod.PUT,"/api/**").hasRole("ADMIN"); authorize.requestMatchers(HttpMethod.DELETE,"/api/**").hasRole("ADMIN"); authorize.anyRequest().authenticated(); }).httpBasic(Customizer.withDefaults()); return http.build(); }

In my case have already disabled it, but still getting 401 using POST from postman.
However i can login using the browser.

@paulsofts
Copy link

@Siddhnak In postman, you can Authorization Tab beside the Headers and add your username and password.

@TejashwiniBusnur
Copy link

@Siddhnak I am facing the same error as you did. Could you please share your knowledge if you have solved this in any manner. Thank you.

@fgluartes
Copy link

fgluartes commented Jul 26, 2024
edited
Loading

Here's what I did to retain the basic Auth in GET request and apply CSRF in POST request:

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
        	.csrf(csrf -> csrf
        				.ignoringRequestMatchers( "/api/**")
        				.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
        				.csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler()))
        	.authorizeHttpRequests(auth -> {
                auth.anyRequest().authenticated();
        	})
            .httpBasic(Customizer.withDefaults());
        return http.build();
    }

No Auth requests in Postman produces 401 Unauthorized error and with Basic Auth the request passes through.
Hope this helps!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@mraible @ashishrky @jo1o3o @TejashwiniBusnur @VANDRESSAGALDINOS @Siddhnak @paulsofts @fgluartes