I have a spring boot application that is not using spring security at all, and when some requests come through for static resources, the server returns a 403.
The spring boot application is running in a tomcat 9 server (not embedded). A lot of the requests triggering the 403 come from mobile devices. I have read a lot of articles about this issue but they all refer to the spring security implementation which I am not using.
Has anyone experienced this? Any help/suggestions would be greatly appreciated.
Here's my pom file:
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.valspar</groupId>
<artifactId>rest.valspar.com</artifactId>
<version>2.0</version>
<packaging>war</packaging>
<name>Valspar Web-Services</name>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.2.5.RELEASE</version>
<relativePath /> <!-- lookup parent from repository -->
</parent>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<version.jdk>1.8</version.jdk>
<ms.sql.version>1.0</ms.sql.version>
<maven-git-code-format.version>1.31</maven-git-code-format.version>
</properties>
<dependencies>
<!-- SpringBoot Dependencies -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jersey</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<exclusion>
<artifactId>logback-classic</artifactId>
<groupId>ch.qos.logback</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.springframework.data</groupId>
<artifactId>spring-data-oracle</artifactId>
<version>1.0.0.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
</dependency>
<!-- https://mvnrepository.com/artifact/commons-discovery/commons-discovery -->
<dependency>
<groupId>commons-discovery</groupId>
<artifactId>commons-discovery</artifactId>
<version>0.5</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.microsoft.sqlserver/mssql-jdbc -->
<dependency>
<groupId>com.microsoft.sqlserver</groupId>
<artifactId>mssql-jdbc</artifactId>
<version>6.4.0.jre8</version>
</dependency>
<!-- https://mvnrepository.com/artifact/wsdl4j/wsdl4j -->
<dependency>
<groupId>wsdl4j</groupId>
<artifactId>wsdl4j</artifactId>
<version>1.6.3</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.apache.axis/axis -->
<dependency>
<groupId>org.apache.axis</groupId>
<artifactId>axis</artifactId>
<version>1.4</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-log4j -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-log4j</artifactId>
<version>1.3.8.RELEASE</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.microsoft.sqlserver/sqljdbc41 -->
<dependency>
<groupId>com.microsoft</groupId>
<artifactId>sqljdbc4</artifactId>
<version>${ms.sql.version}</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.oracle/classes12 <dependency>
<groupId>oracle</groupId> <artifactId>ojdbc5</artifactId> <version>11.2.0.3</version>
</dependency> -->
<!-- Oracle JDBC driver -->
<dependency>
<groupId>com.oracle.database.jdbc</groupId>
<artifactId>ojdbc8</artifactId>
<version>12.2.0.1</version>
</dependency>
<!-- https://mvnrepository.com/artifact/javax.xml/jaxrpc -->
<dependency>
<groupId>javax.xml</groupId>
<artifactId>jaxrpc</artifactId>
<version>1.1</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.apache.xml/serializer -->
<dependency>
<groupId>serializer</groupId>
<artifactId>serializer</artifactId>
<version>2.7.1</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.hibernate/hibernate-core -->
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-core</artifactId>
<version>${hibernate.version}</version>
</dependency>
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-entitymanager</artifactId>
<version>${hibernate.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.ldap</groupId>
<artifactId>spring-ldap-core</artifactId>
</dependency>
<!-- https://mvnrepository.com/artifact/com.force.api/force-partner-api -->
<dependency>
<groupId>com.force.api</groupId>
<artifactId>force-partner-api</artifactId>
<version>44.0.0</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.smartystreets.api/smartystreets-java-sdk -->
<dependency>
<groupId>com.smartystreets.api</groupId>
<artifactId>smartystreets-java-sdk</artifactId>
<version>3.3.8</version>
<exclusions>
<exclusion>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.mindscapehq</groupId>
<artifactId>raygun4java</artifactId>
<type>pom</type>
<version>1.3.2</version>
</dependency>
<dependency>
<groupId>com.mindscapehq</groupId>
<artifactId>core</artifactId>
<version>1.3.2</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.apache.ws.security/wss4j -->
<dependency>
<groupId>org.apache.ws.security</groupId>
<artifactId>wss4j</artifactId>
<version>1.5.6</version>
<exclusions>
<exclusion>
<groupId>javax.servlet</groupId>
<artifactId>servlet-api</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
<version>3.1.0</version>
<scope>provided</scope>
</dependency>
<!-- https://mvnrepository.com/artifact/org.pojava/datetime -->
<dependency>
<groupId>org.pojava</groupId>
<artifactId>datetime</artifactId>
<version>3.0.2</version>
</dependency>
<!-- https://mvnrepository.com/artifact/struts/struts -->
<dependency>
<groupId>struts</groupId>
<artifactId>struts</artifactId>
<version>1.2.9</version>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<finalName>wservices</finalName>
<sourceDirectory>src/main/java</sourceDirectory>
<resources>
<resource>
<directory>src/main/resources</directory>
<filtering>true</filtering>
</resource>
</resources>
<filters>
<filter>${basedir}/ci/profiles/build-${build.profile.id}.properties</filter>
</filters>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-compiler-plugin</artifactId>
<configuration>
<source>${version.jdk}</source>
<target>${version.jdk}</target>
</configuration>
</plugin>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
<plugin>
<groupId>com.cosium.code</groupId>
<artifactId>maven-git-code-format</artifactId>
<version>${maven-git-code-format.version}</version>
<executions>
<!-- On commit, format the modified java files -->
<!-- Un-comment the following execution block for the first build of
the project. Revert to HEAD revision after project is built successfully
for the first time. -->
<!-- <execution> <id>install-formatter-hook</id> <goals> <goal>install-hooks</goal>
</goals> </execution> -->
<!-- On Maven verify phase, fail if any file (including unmodified)
is badly formatted -->
<execution>
<id>validate-code-format</id>
<goals>
<goal>validate-code-format</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
I ran the application as standalone (without external Tomcat) and the problem does not seem to occur. This is pointing more to an interaction between the two or tomcat 9 configuration issue.
The problem was a tomcat 9 mis-configuration with a security realm and had nothing to do with Spring. The security real was not connecting to the user database so it was blocking anything static.