401 Unauthorized on POST endpoint in Spring Boot (MVC) application

Hi, I am using Spring Boot 3 and Spring Security 6 and following the sample auth0-spring-security5-api-sample/01-Authorization-MVC at use-spring-6 · auth0-samples/auth0-spring-security5-api-sample · GitHub. Tutorial works well until try with GET endpoints. But the moment I built a POST endpoint and call it, I get 401 Unauthorized error in postman even though this is configured to be permitted in SecurityConfig.java. Here is the link to my code changes POST Endpoint to test · ashishrky/auth0-spring-security5-api-sample@8bf9866 · GitHub. What’s wrong? Why GET call work just fine, but POST call get 401?

Hey there!

In order to handle that most effectively can I ask you to raise it as a GitHub issue here in the repo so we can discuss that directly with the repo maintainers? Once you have a link to it you can share it here so we can ping them. Thank you!

Hi @konrad.sopala, I have opened a github issue at… 401 Unauthorized on POST endpoint in Spring Boot (MVC) application · Issue #26 · auth0-samples/auth0-spring-security5-api-sample · GitHub. Thanks

1 Like

Perfect! I’ll ping the repo maintainers in a few minutes!

Hi @konrad.sopala, did you reach out to repo maintainers? I do not see any update on this issue. This issue is blocking usage of auth0 in my project. Can you please help? Thanks.

Reposting solution from the team shared in the github issue:

If you turn up the logging for Spring Security in application.yml:

logging: level: org.springframework.security.web: DEBUG

You’ll see the error when you try to do a POST:

2023-04-20T10:24:21.166-06:00 DEBUG 15786 --- [nio-3010-exec-1] o.s.security.web.FilterChainProxy        : Securing POST /api/public/post
2023-04-20T10:24:21.184-06:00 DEBUG 15786 --- [nio-3010-exec-1] o.s.security.web.csrf.CsrfFilter         : Invalid CSRF token found for http://localhost:3010/api/public/post
2023-04-20T10:24:21.184-06:00 DEBUG 15786 --- [nio-3010-exec-1] o.s.s.w.access.AccessDeniedHandlerImpl   : Responding with 403 status code
2023-04-20T10:24:21.186-06:00 DEBUG 15786 --- [nio-3010-exec-1] o.s.security.web.FilterChainProxy        : Securing POST /error
2023-04-20T10:24:21.189-06:00 DEBUG 15786 --- [nio-3010-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext

If you disable CSRF in SecurityConfig.java, everything will work:

http.csrf().disable();

Here’s proof:

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.