java spring openApi : swagger request returns status code 403

Question

I've a springboot/openapi application. No dependency on spring security. When launching a POST request via swagger, the returned status is 403. The request doesn't arrive in the controller class. A Get request however does work and returns a status 200.

The following is configured

@Configuration
public class Config {

        @Bean
        ForwardedHeaderFilter forwardedHeaderFilter() {
            return new ForwardedHeaderFilter();
        }
    
    }
}

application.yaml

server:
  port: 50086
  forward-headers-strategy: framework
  use-forward-headers: true

What could be the cause of the status 403 ?

Controller

@CrossOrigin
@RestController
@RequestMapping("/ta")
public class TaController {

    @Operation(summary = "Calculate")
    @RequestMapping(value = "/calculateWithPrices", method = RequestMethod.POST)
    public ResponseEntity<CaculationResponseDto> calculateWithPrices(@RequestBody CaculationWithPricesRequestDto caculationWithPricesRequestDto) {

        // code ...
         
}

Answer 1

Try to add a SecurityConfig which inherits from WebSecurityConfigurerAdapter. Example is here.
With the method configure you can set the access to specific url-endpoints and allow the call on them.

@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private CustomAuthenticationProvider authProvider;

    @Autowired
    public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(authProvider).eraseCredentials(false);
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.httpBasic().and().authorizeRequests().antMatchers("**apiEndpoint**").authenticated()
                .and().csrf().disable().headers().frameOptions().disable().and().sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS);

        // Deactivate authorization for whole application
//        http.authorizeHttpRequests().antMatchers("/**").permitAll().and().csrf().disable();
    }
}

Class CustomAuthenticationProvider:

@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {

@Autowired
private ICustomerRepository customerRepository;

@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {

    String id = authentication.getName().toString();
    String pin = authentication.getCredentials().toString();

    try {
        // Check if the customer passed in Username exists
        CustomerDTO customer = customerRepository.findById(Long.parseLong(id)).orElseThrow();
    } catch (Exception e) {
        // TODO Auto-generated catch block
        throw new BadCredentialsException(id);
    }

    Collection<? extends GrantedAuthority> authorities = Collections
            .singleton(new SimpleGrantedAuthority("ROLE_CUSTOMER"));

    return new UsernamePasswordAuthenticationToken(id, pin, authorities);
}

@Override
public boolean supports(Class<?> authentication) {
    return authentication.equals(UsernamePasswordAuthenticationToken.class);
}

}