Spring security antMatchers not being applied on POST requests and only works with GET

After some investigation, it turned out that antMatcher was working as expected & allowing all URLs as intended, but the reason for the forbidden response that I was getting for the POST APIs was that Spring security was waiting for csrf token for these POST requests because CSRF protection is enabled by default in spring security.

So in order to make it work like this, you must provide the csrf token in POST request OR you can temporarily turn CSRF protection off (but you should enable it again before going to production as this is a serious attack)

Example code for that:

protected void configure(HttpSecurity http) throws Exception {
    http
        // disabling csrf here, you should enable it before using in production
        .csrf().disable()
        .authorizeRequests()
       // this matcher is working for all GET/POST/... , any URL matching the reg expression
            .antMatchers("/**").permitAll()
}

You need to do something similar this and you should mention role

http
  .httpBasic().and()
  .authorizeRequests()
    .antMatchers(HttpMethod.POST, "/employees").hasRole("ADMIN")
    .antMatchers(HttpMethod.PUT, "/employees/**").hasRole("ADMIN")

Hope it will solve your issue.

Spring security antMatchers not being applied on POST requests and only works with GET

Tags:

Java

Spring

Spring Security

Related

Recent Posts