Certainly! Here’s the text you can paste directly into your Stack Overflow question:
Title: Spring Security POST Request Failing with 401 Unauthorized
Description:
I’m encountering an issue with my Spring Boot application where POST requests are failing with a 401 Unauthorized error. Below is my Spring Security configuration:
<code>package com.spboot.DohaRiff.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
public class SpringSecurityConfig {
SecurityFilterChain securityFilterChain(HttpSecurity http)throws Exception{
http.csrf((csrf) -> csrf.disable())
.authorizeHttpRequests((authorize)->{
authorize.requestMatchers(HttpMethod.POST,"/api/**").hasRole("ADMIN");
authorize.requestMatchers(HttpMethod.PUT,"/api/**").hasRole("ADMIN");
authorize.requestMatchers(HttpMethod.DELETE,"/api/**").hasRole("ADMIN");
authorize.anyRequest().authenticated();
}).httpBasic(Customizer.withDefaults());
return http.build();
}
@Bean
public static PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
@Bean
public UserDetailsService userDetailsService(){
UserDetails hulkNaik = User.builder()
.username("hulkNaik")
.password(passwordEncoder().encode("Pass123"))
.roles("USER")
.build();
UserDetails admin = User.builder()
.username("admin")
.password(passwordEncoder().encode("admin"))
.roles("ADMIN")
.build();
return new InMemoryUserDetailsManager(hulkNaik,admin);
}
}
</code>
<code>package com.spboot.DohaRiff.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
public class SpringSecurityConfig {
SecurityFilterChain securityFilterChain(HttpSecurity http)throws Exception{
http.csrf((csrf) -> csrf.disable())
.authorizeHttpRequests((authorize)->{
authorize.requestMatchers(HttpMethod.POST,"/api/**").hasRole("ADMIN");
authorize.requestMatchers(HttpMethod.PUT,"/api/**").hasRole("ADMIN");
authorize.requestMatchers(HttpMethod.DELETE,"/api/**").hasRole("ADMIN");
authorize.anyRequest().authenticated();
}).httpBasic(Customizer.withDefaults());
return http.build();
}
@Bean
public static PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
@Bean
public UserDetailsService userDetailsService(){
UserDetails hulkNaik = User.builder()
.username("hulkNaik")
.password(passwordEncoder().encode("Pass123"))
.roles("USER")
.build();
UserDetails admin = User.builder()
.username("admin")
.password(passwordEncoder().encode("admin"))
.roles("ADMIN")
.build();
return new InMemoryUserDetailsManager(hulkNaik,admin);
}
}
</code>
package com.spboot.DohaRiff.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;
@Configuration
public class SpringSecurityConfig {
SecurityFilterChain securityFilterChain(HttpSecurity http)throws Exception{
http.csrf((csrf) -> csrf.disable())
.authorizeHttpRequests((authorize)->{
authorize.requestMatchers(HttpMethod.POST,"/api/**").hasRole("ADMIN");
authorize.requestMatchers(HttpMethod.PUT,"/api/**").hasRole("ADMIN");
authorize.requestMatchers(HttpMethod.DELETE,"/api/**").hasRole("ADMIN");
authorize.anyRequest().authenticated();
}).httpBasic(Customizer.withDefaults());
return http.build();
}
@Bean
public static PasswordEncoder passwordEncoder(){
return new BCryptPasswordEncoder();
}
@Bean
public UserDetailsService userDetailsService(){
UserDetails hulkNaik = User.builder()
.username("hulkNaik")
.password(passwordEncoder().encode("Pass123"))
.roles("USER")
.build();
UserDetails admin = User.builder()
.username("admin")
.password(passwordEncoder().encode("admin"))
.roles("ADMIN")
.build();
return new InMemoryUserDetailsManager(hulkNaik,admin);
}
}
And here is the header I’m trying to pass in the POST request:
<code>{
"id": 4,
"title": "TEST",
"description": "TES",
"userComments": "TEST",
"author": "Host",
"source": "Saped"
}
</code>
<code>{
"id": 4,
"title": "TEST",
"description": "TES",
"userComments": "TEST",
"author": "Host",
"source": "Saped"
}
</code>
{
"id": 4,
"title": "TEST",
"description": "TES",
"userComments": "TEST",
"author": "Host",
"source": "Saped"
}
Issue:
When sending a POST request using Postman, I’m receiving a 401 Unauthorized error. However, I’m able to log in using a browser without any issues.
Additional Context:
- I’ve configured my Spring Security to restrict POST, PUT, and DELETE requests to users with the ADMIN role.
- I’ve ensured that the credentials are correct when sending the request.
- I’ve tried different variations of the request headers without success.
Expected Behavior:
I expect the POST request to be successfully authenticated and processed, returning the appropriate response.
Actual Behavior:
The POST request returns a 401 Unauthorized error.
Steps to Reproduce:
- Send a POST request using Postman with the provided header.
- Receive a 401 Unauthorized error response.
Any insights or suggestions on resolving this issue would be greatly appreciated. Thank you!
New contributor
Green guy is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.