0

I have okta configured in my springboot application . But i want to autheticate with Okta With only one endpoint and not to all urls.

so i did this

    @Configuration
  class OktaOAuth2WebSecurityConfigurerAdapter extends WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.authorizeRequests()
            // Require authentication for all requests under /api/private
            .antMatchers("/loginOkta").authenticated()
            .and()
            .oauth2ResourceServer().jwt();
}

It works fine , and now i can call any other GET Requests without okta verfication , But all the Posts requests gives 403 forbidden erro .

I dont understand why All GET requests work but not POST Requests (which gives 403) whereas i mentioned in the code that only autheicate with okta ,with only one (above) url

Philipp Grigoryev
  • 1,985
  • 3
  • 17
  • 23
junaidp
  • 10,801
  • 29
  • 89
  • 137

1 Answers1

0

In addition to authentication and authorization, Spring Security also provides protection against common exploits, one of which is CSRF.

In your security configuration you have specified that only the /loginOkta requires authentication, but all other endpoints are still protected against these common exploits. That's why you're seeing the 403 response when you POST to an endpoint without including the CSRF token.

If you wish to only protect the /loginOkta endpoint, you can use a requestMatcher to have the entire security configuration apply to only that endpoint.

http
    .antMatcher("/loginOkta")
    .authorizeRequests((authz) -> authz
        .anyRequest().authenticated()
    )
    // ...

For a more in depth explanation of authorizeRequests vs requestMatchers you can look at this question.

Eleftheria Stein-Kousathana
  • 5,871
  • 1
  • 21
  • 34