Using Vue.js, I'm trying to implement a JWT login form in a RESTful API using Spring Boot, but unless I add the bearer token to the request, all I get is a 403 status. I have set up the endpoint to be accessible without any permission and on postman the request can be sent without the authorization header. This is part of my security configuration on Spring:
.antMatchers(HttpMethod.POST, "/auth/login") .permitAll()
This is my vue.js service that makes the POST request:
import axios from 'axios' let USER_API_BASE_URL = 'http://localhost:8080/auth/login/' let config = { headers: { 'Content-Type': 'application/json', 'Authorization': "Bearer (hereGoesTheToken)" }} class LoginService{ postLogin(emailInput, passwordInput){ let user = JSON.stringify({email: emailInput, password: passwordInput}); var response = axios.post(USER_API_BASE_URL, user, config); console.log(response) return response } } export default new LoginService()
I want to make this so that a token is not required to access the part where you requested the same token... Is there any way to do this?
I'm not 100% sure, but your 403 is most likely caused by CSRF protection. Check out JWT Login Example for an example of how to enable JWT authentication on the server.
To summarize, if you enable HTTP basic (
.httpBasic()
) and disable session management (.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
), you CSRF can also be disabled (.csrf() .disable()
). This would be the recommended way to achieve what you want to do, since stateless servers (in terms of session management) are less susceptible to CSRF protection.You can also implement your own authentication endpoint, here is your example, in which case you don't need to enable
.httpBasic()
. In this case you can use.oauth2ResourceServer(OAuth2ResourceServerConfigurer::jwt)
. Check out this Tanzu Tuesday Talk to learn more about JWT authentication (why and why not).It is important to point out that any form of session on the server makes you vulnerable to CSRF attacks, so it is important to ensure that
JSESSIONID
or similar does not enter the browser. Please see this question and several other similar questions, as similar questions have been asked frequently before.