I'm putting together a simple website using spring-boot (v2.1.3) and spring-mvc. It was working well until I added spring-security by including the spring-boot-starter-security dependency and adding an implementation of WebMvcConfigurer. Everything worked fine, including the default login and logout views, but all other forms respond with 403-Forbidden on POST's.
The bulk of the guidance I've seen involves csrf protection. Ultimately, you want to include csrf tokens in your form, but the simplest advice is to disable csrf protection completely (http.csrf.disable()). Adding that to the security configuration had no effect.
Here is my WebMvcConfigurer implementation...
@EnableWebSecurity
public class WebSecurityConfig implements WebMvcConfigurer {
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.anyRequest().authenticated()
.and()
.formLogin()
.and()
.httpBasic()
.and()
.csrf().disable();
}
@Bean
public UserDetailsService userDetailsService() throws Exception {
InMemoryUserDetailsManager manager = new InMemoryUserDetailsManager();
manager.createUser(User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build());
return manager;
}
}
Looking for any assistance on basic spring security configuration as it relates to form POST's.
