3

So i have backend in java and frontend in Angular. While im sending delete request to my spring boot rest endpoint im getting 403 code. Angular sends first OPTIONS request and it returns this 403 so DELETE request not happens. Additionaly GET and POST works fine.

I have tried disable csrf but it didnt wokred. Also im using it in my browser so i shouldnt disabling this. In soapUI DELETE works fine.

This is my security config class

@Configuration @EnableWebSecurity public class AuthConfig extends WebSecurityConfigurerAdapter { @Value(value = "${auth0.apiAudience}") private String audience; @Value(value = "${auth0.issuer}") private String issuer; @Bean CorsConfigurationSource corsConfigurationSource() { UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration("/**", new CorsConfiguration().applyPermitDefaultValues()); return source; } @Override protected void configure(HttpSecurity http) throws Exception { JwtWebSecurityConfigurer .forRS256(audience, issuer) .configure(http) .cors() .and() .authorizeRequests() .antMatchers(HttpMethod.GET,"/public").permitAll() .antMatchers(HttpMethod.GET,"/private/**").authenticated() .antMatchers(HttpMethod.GET,"/private-scoped").hasAuthority("read:posts"); } }

I want to do this delete requests.

@PostMapping("/private/post/{id}/like") public void likePostById(@PathVariable Long id){ postService.likePostById(id); } @DeleteMapping("/private/post/{id}/like") public void unlikePostById(@PathVariable Long id){ postService.unlikePostById(id); }

enter image description here

Improve this question
10
  • Whats your delete request look like? Commented Apr 26, 2019 at 8:49
  • unlikePostById(post_id: number): Observable<boolean>{ return this.http.delete<boolean>(environment.api_endpoint+"/private/post/"+post_id+"/like"); } Commented Apr 26, 2019 at 9:01
  • actual request i cant share because its not created. Because OPTIONS request failed Commented Apr 26, 2019 at 9:02
  • @123 in soapUI DELETE works well, so request is ok. Commented Apr 26, 2019 at 10:46
  • Do you have a proxy infront of the application? Looks like you are trying to access /backend/private..., you don't have any ant matchers for backend Commented Apr 26, 2019 at 12:25

2 Answers 2

Reset to default
1

In case you are on Spring Boot, you can do this, too:

@Bean public WebMvcConfigurer corsConfigurer() { return new WebMvcConfigurer() { @Override public void addCorsMappings(CorsRegistry registry) { registry.addMapping("/**").allowedMethods("GET", "PUT", "POST", "DELETE", "PATCH", "OPTIONS", "HEAD"); } }; }

You can add your mappings to a particular url as well.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

You can also use : CorsConfiguration config = new CorsConfiguration(); config.setAllowedMethods(Arrays.asList("POST", "GET", "PUT", "DELETE"));
0

I think you limit your request type by

HttpMethod.GET

in your antMatchers.

Remove this parameter or add one more antiMatcher like:

.antMatchers(HttpMethod.DELETE,"your delete url").permitAll()
Improve this answer

4 Comments

I did .antMatchers("/private/**").authenticated() but this doesnt work. I think this is not problem because POST requests works fine.
Usually, I use .anyRequest().authenticated() for the undefined request in config. I guess if your post just get passed by security? Can you show your urls?
added in post higher
i did .anyRequest().authenticated() but still delete request doesnt work properly

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.