0

So, I am developing a very basic blog using spring boot, and as I am getting to the controllers layer, I want to test with Postman. GET requests are working perfectly fine, but POST requests are getting 403 forbidden.

I have been doing a lot of research and it seems it is all about the default spring security's CSRF cookie. I have tried a bunch of different things (like this one https://dev.to/shane/using-postman-with-java-spring-and-csrf-tokens-di0), but the thing is, when I do it, the csrf variable in Postman never gets filled. It is always undefined.

On the other hand, I know there are ways to disable csrf, but I don't want that. It does not solve anything, it is just bypassing the problem without really understanding how to tackle it.

How can I get past this? How can I get Postman to get the csrf cookie, put it in a variable that I can then reuse in a POST request?

dur
  • 15,689
  • 25
  • 79
  • 125
Tamsin-chan
  • 15
  • 2
  • Spring Security support different configurations for CSRF - how is yours configured? – Ralph Oct 31 '22 at 20:18
  • I don't know :D... Where can I check this? – Tamsin-chan Oct 31 '22 at 20:46
  • One way is to open the URL with your browser and copy session cookie and CSRF token into Postman. You can also try https://www.baeldung.com/postman-send-csrf-token – dur Nov 01 '22 at 10:12
  • @Tamsin-chan: just post your configuration for spring security (remove all password before!) – Ralph Nov 02 '22 at 09:56
  • @dur The link you posted is the reason I am here :). I tried this method, and the variable is never set. It stays undefined, so my POST request never go through :/. Do you have an idea why it would behave this way? – Tamsin-chan Nov 02 '22 at 21:24
  • @Ralph I did not configure spring security at all, I'm using it out of the box for now :) – Tamsin-chan Nov 02 '22 at 21:25

0 Answers0