403 on POST requests

Hello. I am new to web development , and I ve been stuck with an issue for the last 2 days.
I am using thymeleaf and java for my webapp, and integrated the auth0 register/login function with my app. I also have a local MySQL database, in which I store data about the users (use of ID token). In my database, each user can have multiple entities. When I use the GetMapping , I can display the associated entities to each user, but when I try to add a new one with a POST request mapped on a button, I get 403. I ve tried a bunch of stuff, but at this point I am not sure if the issue is with the SecurityFilterChain, with my app configuration or if I need to add the database address to my API list in Auth0 (I did add it, but it does not work). My code doesent reach the POST mapping method in my controller. Sorry for the absolute beginner question. Thank you

Hey. Thanks for reaching out to community.

Did you PostMapping for your use case? It should be something like below.

    @PreAuthorize("hasAuthority('create:items')") // ✨ 👈 New line ✨
    public ResponseEntity<Item> create(@Valid @RequestBody Item item) {...}

Let me know if this works.


Are you able to share your method with the POST mapping, as well as your Security configuration? That might help us figure out what’s happening.

Hello. I ve tried to use the @PreAuthorize annotation after I added the coressponding permission to my API permisions and to the specific user, it doesent help. Also, I noticed that the principal.authorities list does not contain the additional permission, not sure if that is related.
This is the SecurityConfig.java I use @Bean
public SecurityFilterChain configure(HttpSecurity http) throws Exception {

            .authorizeHttpRequests(authorize -> authorize
                    .requestMatchers("/", "/images/**", "/addAccount", "/myaccounts", "/**").permitAll()

            .logout(logout -> logout

    return http.build();

private LogoutHandler logoutHandler() {
    return (request, response, authentication) -> {
        try {
            String baseUrl = ServletUriComponentsBuilder.fromCurrentContextPath().build().toUriString();
            response.sendRedirect(issuer + "v2/logout?client_id=" + clientId + "&returnTo=" + baseUrl);
        } catch (IOException e) {
            throw new RuntimeException(e);

and this is the POST mapping method (class annotaed with @Controller and @RequiredArgsConstructor).

public String addAccount(@RequestParam(“newDomain”) String newDomain,
@RequestParam(“newPassword”) String newPassword,
@AuthenticationPrincipal OidcUser principal) {
if (principal == null) {
return “redirect:/index”;
Account newAccount = new Account();


    return "redirect:/myaccounts";

after doing some changes in my configuration with disabling csfr, it seems to have solved the issue (my code reaches my controller method) Thank you for your replies