Spring Security 403 after successful authentication on pre-authentication POST

Summary

When I try to POST to a resource requiring authentication, I am redirected to a login page (as expected). Upon entering the username and password, I get a 403 access denied error. This works fine if I do a GET to the exact same resource. It's only for a POST.

Actual Behavior

Receive 403 after successful authentication if authentication trigger is a POST to a protected resource.

Expected Behavior

Resource call should execute same as a GET.

Configuration

@Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("//action/").access("isFullyAuthenticated()") .and().formLogin() .and().csrf().disable();

Version

Tried 5.0.4 and 4.2.4

Sample

Comment From: jzheaux

@bleepbleepbleep, the behavior you specify is already supported:

@SpringBootApplication
public class DemoApplication {

    @Controller
    public static class ActionController {
        @GetMapping("/action")
        @ResponseBody
        String getOk() {
            return "<form action='/action' method='post'><button type='submit'>Go</button></form>";
        }

        @PostMapping("/action")
        @ResponseBody
        String postOk() {
            return "ok";
        }
    }

    @EnableWebSecurity
    public static class SecurityConfig extends WebSecurityConfigurerAdapter {
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http.authorizeRequests()
                .antMatchers("/action/**")
                    .access("isFullyAuthenticated()")
                    .and()
                .formLogin()
                    .and()
                .csrf().disable();
        }

        @Bean
        @Override
        public UserDetailsService userDetailsService() {
            UserDetails user = User.withDefaultPasswordEncoder()
                                .username("user")
                                .password("password")
                                .roles("USER")
                                .build()

            return new InMemoryUserDetailsManager(user);
        }
    }

    public static void main(String[] args) {
        SpringApplication.run(DemoApplication.class, args);
    }
}

In the above code, both GET /action and POST /action return a 200 OK once the user is authenticated.

Note the ant syntax for /action, which is where I think I could be misunderstanding your use case. Would you mind clarifying if you feel I've misunderstood? Otherwise, I'll close this issue and recommend that you make a post to StackOverflow for further troubleshooting support.

Comment From: chandu-atina

@bleepbleepbleep From your statement GET works well and POST throws 403 error, I suspect that CSRF protect is enabled and the post request doesn't include a valid csrf token.

But your sample code states that csrf is disabled, can you confirm the same from your application configuration to make sure that csrf is disabled?

Comment From: charlie39

this is something I am facing right now with spring security 5.1.5

Comment From: jzheaux

@charlie39 would you be able to provide a sample project that reproduces the issue you are experiencing?

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: spring-projects-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.

Comment From: solutionaddicts

Has anyone fixed this error? I'm facing this issue when I trigger a POST request with couple of fields. { "timestamp": "2020-02-06T19:58:23.636+0000", "status": 403, "error": "Forbidden", "message": "Access Denied", "path": "/csor/security/greet" }

I have CSRF disabled in security config as below: @Override public void configure(HttpSecurity http) throws Exception { http .headers().frameOptions().disable() .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .authorizeRequests() // .antMatchers("csor/security/authenticate/").permitAll() .antMatchers("/v2/api-docs", "/swagger-resources/", "/swagger-ui.html", "/webjars/" ).permitAll() // .anyRequest().authenticated() .and() .csrf().disable(); //.and() //.addFilter(new JwtAuthenticationFilter(authenticationManager())) //.addFilter(new JwtAuthorizationFilter(authenticationManager())); }

Comment From: VhiktorBrown

I've been experiencing this issue for the past 1 week now. I disabled csrf but I still get the same error. Any little help would be appreciated.

Comment From: danielptm

Im having the same issue.

Comment From: sarita-hirekhan

even i am facing this issue, how to resolve 403 error for POST api

Comment From: mohit06

same issue.