401 Unauthorized on POST endpoint in Spring Boot (MVC) application

ashishrky · March 30, 2023, 8:16am

Hi, I am using Spring Boot 3 and Spring Security 6 and following the sample auth0-spring-security5-api-sample/01-Authorization-MVC at use-spring-6 · auth0-samples/auth0-spring-security5-api-sample · GitHub. Tutorial works well until try with GET endpoints. But the moment I built a POST endpoint and call it, I get 401 Unauthorized error in postman even though this is configured to be permitted in SecurityConfig.java. Here is the link to my code changes POST Endpoint to test · ashishrky/auth0-spring-security5-api-sample@8bf9866 · GitHub. What’s wrong? Why GET call work just fine, but POST call get 401?

konrad.sopala · March 30, 2023, 10:59am

Hey there!

In order to handle that most effectively can I ask you to raise it as a GitHub issue here in the repo so we can discuss that directly with the repo maintainers? Once you have a link to it you can share it here so we can ping them. Thank you!

ashishrky · March 30, 2023, 2:20pm

Hi @konrad.sopala, I have opened a github issue at… 401 Unauthorized on POST endpoint in Spring Boot (MVC) application · Issue #26 · auth0-samples/auth0-spring-security5-api-sample · GitHub. Thanks

konrad.sopala · March 30, 2023, 2:21pm

Perfect! I’ll ping the repo maintainers in a few minutes!

ashishrky · April 11, 2023, 4:40am

Hi @konrad.sopala, did you reach out to repo maintainers? I do not see any update on this issue. This issue is blocking usage of auth0 in my project. Can you please help? Thanks.

dawid.matuszczyk · May 16, 2024, 5:47pm

Reposting solution from the team shared in the github issue:

If you turn up the logging for Spring Security in application.yml:

logging: level: org.springframework.security.web: DEBUG

You’ll see the error when you try to do a POST:

2023-04-20T10:24:21.166-06:00 DEBUG 15786 --- [nio-3010-exec-1] o.s.security.web.FilterChainProxy        : Securing POST /api/public/post
2023-04-20T10:24:21.184-06:00 DEBUG 15786 --- [nio-3010-exec-1] o.s.security.web.csrf.CsrfFilter         : Invalid CSRF token found for http://localhost:3010/api/public/post
2023-04-20T10:24:21.184-06:00 DEBUG 15786 --- [nio-3010-exec-1] o.s.s.w.access.AccessDeniedHandlerImpl   : Responding with 403 status code
2023-04-20T10:24:21.186-06:00 DEBUG 15786 --- [nio-3010-exec-1] o.s.security.web.FilterChainProxy        : Securing POST /error
2023-04-20T10:24:21.189-06:00 DEBUG 15786 --- [nio-3010-exec-1] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext

If you disable CSRF in SecurityConfig.java, everything will work:

http.csrf().disable();

Here’s proof:

system · May 30, 2024, 5:47pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Why is the Spring Boot integration not working once deprecated APIs are upgraded? Help auth0-java , sdks-quickstarts	1	3490	November 1, 2024
Following quickstart does not work - getting 401 Help	1	1709	January 25, 2022
AuthenticationController.buildAuthorizeUrl() not working for Spring Boot 3.1.0 Help community-topic , other	1	798	September 24, 2024
Redirect during login to /authorize does not contain origin (Spring Security, CORS) Help auth0 , login , cors , spring-security	0	3533	September 18, 2019
(still issues with) 401/Unauthorized when obtaining token in Authorization Code grant Help login-experience , new-universal-login-experience	3	1377	September 28, 2024

401 Unauthorized on POST endpoint in Spring Boot (MVC) application

Related Topics