1

I am building a user registration form. I have POST endpoint for registration and I am able to successfully register.

I have another endpoint called /invalid-token which is also mappped to POST mapping. I have added both of the endpoints to permitAll rules as below:

 http.authorizeRequests() .antMatchers( "/register", "/confirm", "/invalid-token", "/registration-success") .permitAll() .anyRequest() .authenticated();

When I make a POST request to the invalid-token from the browser, I am getting a 403. I am not understanding where I am going wrong. 

Response Status: General: Request URL: http://localhost:8081/invalid-token Request Method: POST Status Code: 403 Remote Address: [::1]:8081 Referrer Policy: no-referrer-when-downgrade Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Length: 0 Date: Tue, 23 Apr 2019 05:14:30 GMT Expires: 0 Pragma: no-cache X-Content-Type-Options: nosniff X-Frame-Options: DENY X-XSS-Protection: 1; mode=block
Improve this question
5
  • 2
    Can you check what is the sub status error code ? Commented Apr 23, 2019 at 5:14
  • 3
    Did you try disabling CSRF? http.csrf().disable();? If it works, consider adding a token to production, disabling it is only for checking, dev... Commented Apr 23, 2019 at 5:16
  • When I disable CSRF, it works, but why is the /register endpoint working even without csrf disabled Commented Apr 23, 2019 at 5:17
  • @Maroun Iam curious to know, why it works for register endpoint and not for /invalid-token endpoint with disabled csrf. Commented Apr 23, 2019 at 6:16
  • @zilcuanu I'm not really sure. Can you provide more code? Or the way you're trying to access the resources? Commented Apr 23, 2019 at 7:05

1 Answer 1

Reset to default
3

I would recommend you to follow standard API definitions when defining micro services.

Issue could be the pattern you have defined i.e. /invalid-token

CSRF disable worked because in your API URL the pattern /invalid-token has special character which I guess allowed by SpringSecurity.

When CSRF is enabled than some how - is causing spring security to mark it as 403.

You can try with pattern /invalid/token and even with CSRF enabled and it should get required behaviour.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

This challenged my spring skills and was overwhelming. Is the spdical character behavior mentioned in the docs?
The special character in URL is a general issue irrespective of Spring Security which fails in mapping resolvers. Can you try defining some regex may be?

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.