I am working on a Web App with Angular and Spring Boot. After testing the App locally i deployed the server on render to test it on the network. But if i make a post request to my server i get 403. The pre-flight OPTIONS is working fine. This is my security configuration ins spring boot
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList("http://yasa.gmbh","https://s995626175.online.de","https://yasa.gmbh","https://s995626175.online.de", "http://localhost:4200"));
configuration.setAllowedMethods(Arrays.asList("GET","POST", "OPTIONS", "DELETE", "PUT", "PATCH"));
configuration.setAllowCredentials(true);
configuration.setAllowedHeaders(Arrays.asList("*"));
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
CsrfTokenRequestAttributeHandler requestHandler = new CsrfTokenRequestAttributeHandler();
// set the name of the attribute the CsrfToken will be populated on
requestHandler.setCsrfRequestAttributeName(null);
http
.csrf((csrf) -> csrf
.csrfTokenRequestHandler(requestHandler)
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
)
.cors((cors) -> cors
.configurationSource(corsConfigurationSource())
)
.addFilterBefore(exceptionHandlerFilter, CorsFilter.class)
.addFilterBefore(exceptionHandlerFilter, UsernamePasswordAuthenticationFilter.class)
.addFilterAfter(jwtTokenVerifierFilter, ExceptionHandlerFilter.class)
this is the OPTION Request
Access-Control-Allow-Credentials:
true
Access-Control-Allow-Headers:
access-control-allow-credentials, content-type, x-xsrf-token
Access-Control-Allow-Methods:
GET,POST,OPTIONS,DELETE,PUT,PATCH
Access-Control-Allow-Origin:
http://localhost:4200
Alt-Svc:
h3=":443"; ma=86400
Cache-Control:
no-cache, no-store, max-age=0, must-revalidate
Cf-Cache-Status:
DYNAMIC
Cf-Ray:
85347d8d3f4a9be9-FRA
Content-Length:
0
Date:
Sat, 10 Feb 2024 12:52:38 GMT
Expires:
0
Pragma:
no-cache
Rndr-Id:
73b39463-e1fd-472c
Server:
cloudflare
Strict-Transport-Security:
max-age=31536000 ; includeSubDomains
Vary:
Origin, Access-Control-Request-Method, Access-Control-Request-Headers, Accept-Encoding
X-Content-Type-Options:
nosniff
X-Frame-Options:
DENY
X-Render-Origin-Server:
Render
X-Xss-Protection:
0
annd this is the post login
:authority:
school-system-ev3t.onrender.com
:method:
POST
:path:
/api/v1/auth/login
:scheme:
https
Accept:
application/json, text/plain, */*
Accept-Encoding:
gzip, deflate, br
Accept-Language:
en-US,en-DE;q=0.9,en;q=0.8,de-DE;q=0.7,de;q=0.6,ar-SY;q=0.5,ar;q=0.4
Access-Control-Allow-Credentials:
true
Cache-Control:
no-cache
Content-Length:
63
Content-Type:
application/json
Origin:
http://localhost:4200
Pragma:
no-cache
Referer:
http://localhost:4200/
Sec-Ch-Ua:
"Not A(Brand";v="99", "Google Chrome";v="121", "Chromium";v="121"
Sec-Ch-Ua-Mobile:
?0
Sec-Ch-Ua-Platform:
"Windows"
Sec-Fetch-Dest:
empty
Sec-Fetch-Mode:
cors
Sec-Fetch-Site:
cross-site
User-Agent:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
X-Xsrf-Token:
67bb57fc-6823-4b2c-b651-25596b871f4d
I have tested my Server Endpoints with postman and it works fine(but i still not able to change data when send put request), so i think that there is somthing with my cors configuration, but i don't know what i have miised. So please can u help me with this issue?
NOTE: i have deployed my Spring Boot App on GCP and i was able to make all request that dose not update or insert data on DB(login was success but update request for some users infor throw 403 error)
changing the cros configuration, test the server form my domain yasa.gmbh ect... I have allowed all Headers but it did'nt help
The Problem is that i am using CSRF protection, and the browser did't accet the csrf Token and delte it, which cause the 403 Erorr. So after disabling the csrf protection it works fine. But i still not understand, why it worked locally?