We have a Springboot 2.0.x and Angular 6 multi module application, using OpenID Connect 1.0 implementation of OAuth2 standard as security. Initial security works, authenticates and authorizes, and lands on the Home page. But for some reason, our POST and DELETE REST calls are getting 403 Forbidden status codes, for authenticated and authorized users. GET calls are unaffected, still works.
Does anybody have any idea on any reason for this? We don't have any roles made that filters what any user can do. Just that all Users, once authenticated and authorized will be able to POST, DELETE, and GET.
Here's the SecurityConfig:
@Override public void configure(WebSecurity web) throws Exception { System.out.println("Error!!/resources/**"); web.ignoring().antMatchers("/resources/**"); } @Bean public OpenIdConnectFilter myFilter() { final OpenIdConnectFilter filter = new OpenIdConnectFilter("/auth/sso/callback"); filter.setRestTemplate(restTemplate); return filter; } @Override protected void configure(HttpSecurity http) throws Exception { // @formatter:off http .addFilterAfter(new OAuth2ClientContextFilter(), AbstractPreAuthenticatedProcessingFilter.class) .addFilterAfter(myFilter(), OAuth2ClientContextFilter.class) .httpBasic().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/auth/sso/callback")) // .httpBasic().authenticationEntryPoint(new LoginUrlAuthenticationEntryPoint("/google-login")) .and() .authorizeRequests() .antMatchers("/errorPage").permitAll() .anyRequest().authenticated() ; // @formatter:on } POST signature:
@PostMapping("/spreadsheet/upload/{uploader}/{filename}") public ResponseEntity<?> uploadSpreadsheet(@RequestBody MultipartFile file, @PathVariable("uploader") String uploader, @PathVariable("filename") String filename) { DELETE signature:
@DeleteMapping("/spreadsheet/{uploader}/{filename}") public ResponseEntity<?> deleteUploadedSpreadsheet(@PathVariable(value = "uploader") String uploader, @PathVariable String filename) { 