2

I am receiving a Request method 'POST' not supported error when I @EnableOAuth2Sso on my Spring Boot 1.5.9 / Angular 5 app.

GET requests work fine, and the JSESSIONID cookie looks like it's setting itself just fine on the front-end. Cookie is getting passed with all requests, and matches.

In the Response Header: Status Code: 405 Allow: GET, HEAD

This is my first Stack Overflow question, I've done all of my usual sleuthing and can't seem to get to the bottom of this one. I apologize in advance for any oversights in my asking / formatting of this question.

@SpringBootApplication
@EnableOAuth2Sso
@EnableOAuth2Client
public class CompanyApplication {

    public static void main(String[] args) {
        SpringApplication.run(CompanyApplication.class, args);
    }

}


Relevant Controller

@RestController
@RequestMapping("api")
public class CompanyController {
    @Autowired
    CompanyRepository companyRepository;

    @Autowired
    ContactRepository contactRepository;

    @PostMapping("companies")
    public Company createCompany(@Valid @RequestBody Company company) {
        logger.info("*** Starting POST request of company name: {}", company.getName());
        company = updateContacts(company); // pass updated contact info into the Contact DB
        companyRepository.save(company);
        logger.info("*** Successful POST request of company: {}, ID: {},", company.getName(), company.getId());
        return company;
    }


Config settings:

security.oauth2.client.clientId=myID
security.oauth2.client.clientSecret=mySecret
security.oauth2.client.accessTokenUri=https://myserver.com/connect/token
security.oauth2.client.userAuthorizationUri=https://myserver.com/connect/authorize
security.oauth2.client.scope=openid,profile,email
security.oauth2.resource.userInfoUri=https://myserver.com/connect/userinfo


Angular service:

public updateCompany( companyData: Company ) {
  return this.http.post(this.url, companyData);
}


Edit: I followed the advice of @theLearner below, but still wanted to add CSRF (XSRF) protection. This is how I ended up doing it: In app.module.ts add HttpClientXsrfModule to imports (I'm on Angular 5). Remove @EnableOAuth2Sso from root CompanyApp class. Config as follows:


@Configuration
@EnableOAuth2Sso
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.
                authorizeRequests().anyRequest().authenticated().
                and().
                csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
    }
}
Adrien Donat
  • 23
  • 4
  • 1
    What url/api are you accessing when you get `Request method 'POST' not supported`? – tryingToLearn Feb 28 '18 at 04:37
  • api/companies - here is the full request header that is being generated: `POST /api/companies HTTP/1.1 Host: localhost:8080 Connection: keep-alive Content-Length: 278 Accept: application/json, text/plain, */* Origin: http://localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36 Content-Type: application/json Referer: http://localhost:8080/auth/companies Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: JSESSIONID=41CF1089A5BF001351F378643685EFB2` – Adrien Donat Feb 28 '18 at 19:28
  • have you tried by disabling csrf protection in your spring security config? – tryingToLearn Mar 01 '18 at 02:16
  • I have, and it works, the problem is that 'everything' works - even requests without a cookie attached... – Adrien Donat Mar 01 '18 at 15:03
  • You mean to say everything works except the POST request? Or that disabling csrf made everything work? – tryingToLearn Mar 01 '18 at 15:05
  • ...but you gave me an idea, rather than trying to secure the entire app, maybe I'll try only securing the api endpoints... – Adrien Donat Mar 01 '18 at 15:10
  • well, only GET requests work - POST, PUT and DELETE all fail - sorry, I mean to say after I disable csrf all http OPTIONS work... – Adrien Donat Mar 01 '18 at 15:11
  • I am not on my laptop right now. Let me share a solution with you in half an hour – tryingToLearn Mar 01 '18 at 15:13
  • Sorry if that was unclear - disabling csrf basically removes the SSO - no redirect to the SSO page, no cookie or anything. Also my question title says 'POST' not supported, but it would be more accurate to say only 'GET' supported as DELETE, PUT and others fail as well. – Adrien Donat Mar 01 '18 at 15:21

1 Answers1

0

There are following things you need to do.

  1. In application properties add this config:

security.oauth2.resource.filter-order=3

More info about this is here.

  1. Since you have not posted your Spring security config yet, not sure how is it right now. But it should look like this:

    @Configuration
@EnableOAuth2Sso
public class WebSecurityConfigurer extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable() // or replace this with tour csrf token repository
            .authorizeRequests()
            .anyRequest().authenticated();
}

This SO post explains if @EnableOauth2Sso is not used carefully it can really mess up entire security configuratiin

tryingToLearn
  • 10,691
  • 12
  • 80
  • 114
  • I upvoted it, but my reputation is too low for it to show, thank you again. Another side note, seems like it works fine even if I comment out `security.oauth2.resource.filter-order=3` I think this may be a result of being on Spring Boot Starter version 1.5.9 vs an older version... – Adrien Donat Mar 01 '18 at 17:32
  • Maybe. That's why I included a link to the filter order issue page so that you can go through the details. – tryingToLearn Mar 01 '18 at 17:35