Spring 4 Boot, Security and Android -> POST HttpClientErrorException 403 Forbidden

Question

Good Afternoon,

I am getting an error when trying to POST some data to my server deployed on tomcat. I think it's a Spring security issue.

On the server, here is my security setup:

    try {
          http.authorizeRequests()
            .antMatchers("/", "/home").permitAll()
            .antMatchers("/mainMenu/admin/*").access("hasRole('" + ENUM_USER_ROLES.ADMIN.getValue() +"')")
            .antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")   
            .antMatchers("/dba/**").access("hasRole('ROLE_ADMIN') or hasRole('ROLE_DBA')")          
            .antMatchers(HttpMethod.GET,"/api/mobile/**").authenticated()           
            .antMatchers(HttpMethod.POST,"/api/mobile/**").authenticated()          
//            .antMatchers(HttpMethod.POST, "/api/mobile/**").access("hasRole('COMPANY_MOBILE')")       
            .anyRequest().authenticated()
            .and()
            .formLogin()
            .loginPage("/login")
            .permitAll()
            .and()
            .logout()
            .permitAll();
          http.httpBasic();
        } catch(Exception e) {
            logger.error(e.getMessage());
        }

In the controller, I have 2 methods:

@RequestMapping(value = "/api/mobile/test/1", method=RequestMethod.GET, produces={"application/json"})
    public @ResponseBody String populateActivePSwapBasketGET() {                

        return "HELLO get";
    }

       @RequestMapping(value = "/api/mobile/test/2", method=RequestMethod.POST, produces={"application/json"})
        public @ResponseBody String populateActivePSwapBasketPOST() {               

            return "HELLO post";
        }

From my android point of view, I am calling the first GET method successfully but the POST method is throwing a

org.springframework.web.client.HttpClientErrorException: 403 Forbidden

On the Android phone, here are the 2 ways I am calling the Get and Post methods on the server. The second gives me the exception:

 HttpAuthentication authHeader = new HttpBasicAuthentication(userName, password);
        HttpHeaders requestHeaders = new HttpHeaders();
        requestHeaders.setAuthorization(authHeader);


        final Gson gson = new Gson();
        // Create the request body as a MultiValueMap
        MultiValueMap<String, String> body = new LinkedMultiValueMap<String, String>();
    HttpEntity<?> requestEntity = new HttpEntity<Object>(requestHeaders);

 RestTemplate restTemplate = new RestTemplate(true);
        try {
            ResponseEntity<String> out1 = restTemplate.exchange(
                    AndroidPhoneProperties.REST_API + "/api/mobile/test/1",
                    HttpMethod.GET,
                    requestEntity,
                    String.class);

            ResponseEntity<String> out2 = restTemplate.exchange(
                    AndroidPhoneProperties.REST_API + "/api/mobile/test/2",
                    HttpMethod.POST,
                    requestEntity,
                    String.class);
            String asd = "";
        } catch (HttpClientErrorException e) {
            CustomAppLogging.e(this.getClass().getName(), CLASSNAME + " HttpClientErrorException " + e.getMessage());
        } 

Here is my gradle file for the server:

dependencies {
    compile("org.springframework.boot:spring-boot-starter-thymeleaf")
    compile("org.springframework.boot:spring-boot-starter-security")
    compile("org.springframework:spring-jdbc:4.1.0.RELEASE")
    compile("org.springframework.boot:spring-boot-starter-data-jpa")
    compile("mysql:mysql-connector-java:5.1.+")
    compile("org.webjars:bootstrap:3.0.3")
    compile("org.webjars:jquery:2.0.3-1")
    compile("org.springframework.security.oauth:spring-security-oauth2:2.0.7.RELEASE")
    compile("org.thymeleaf:thymeleaf-spring4")
    compile("nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect")
    compile("org.springframework.boot:spring-boot-starter-web")
    compile("com.google.code.gson:gson:2.2.4")
    providedRuntime("org.springframework.boot:spring-boot-starter-tomcat")

    testCompile("junit:junit")
}

And here is the Gradle file for my android project:

dependencies {
    compile fileTree(include: ['*.jar'], dir: 'libs')
    compile 'com.android.support:appcompat-v7:22.2.0'
    compile 'com.squareup.retrofit:retrofit:2.0.0-beta1'
    compile 'com.squareup.retrofit:converter-gson:2.0.0-beta1'
    compile 'com.squareup.retrofit:adapter-rxjava:2.0.0-beta1'
    compile 'com.google.code.gson:gson:2.3'
    compile 'org.springframework.android:spring-android-rest-template:2.0.0.M1'
    compile 'com.android.support:design:22.2.0'
    compile 'com.android.support:support-v4:22.1.1'
    compile 'de.hdodenhof:circleimageview:1.3.0'


}

When I'm testing this, I'm running it from the command line like so:

java -Xdebug -Xrunjdwp:server=y,transport=dt_socket,address=8000,suspend=n -jar build/libs/xxx-0.1.0.jar

Where can I see the logs from the Spring security that could tell me more information as to why the POST is being rejected? If I switch to deploying it on my tomcat server, will I get better logs?

If you want any more info please ask.

Thanks for your help.

Answer 1

Disabled CSRF.

@Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                // ...
                .csrf().disable();
        }

Answer was posted here:

spring security 403 error