GET Request works fine in Postman but returns 403 in fetch Spring Boot-CodePudding

My backend in spring boot won't allow fetch request in react but allows it in postman, the weird thing is I have second fetch request that seems to be working fine.
Security config:

@Override
    protected void configure(HttpSecurity http) throws Exception {
        CustomAuthenticationFilter customAuthenticationFilter =new CustomAuthenticationFilter(authenticationManagerBean());
        customAuthenticationFilter.setFilterProcessesUrl("/login");
        http.csrf().disable();
        http.cors();
        http.sessionManagement().sessionCreationPolicy(STATELESS);
        http.authorizeRequests().antMatchers("/login/**","/api/token/refresh/**").permitAll();
        http.authorizeRequests().antMatchers("/test/**").permitAll();
        http.authorizeRequests().antMatchers(GET, "/user/**").hasAnyAuthority("ROLE_USER");
        http.authorizeRequests().antMatchers(POST, "/user/save/**").hasAnyAuthority("ROLE_ADMIN");
        http.authorizeRequests().anyRequest().authenticated();
        http.addFilter(customAuthenticationFilter);
        http.addFilterBefore(new CustomAuthorizationFilter(), UsernamePasswordAuthenticationFilter.class);
    }

Fetch request that works:

fetch("http://localhost:8080/login", {
      method: "POST",
      headers: {
        "Content-Type": "application/x-www-form-urlencoded"
      },
      withCredentials: true,
      body: new URLSearchParams(tempLoginCredentials),
    })

Fetch request that doesn't work (this path on backend I wrote for testing):

fetch("http://localhost:8080/test/a", {
      method: "GET",
      withCredentials:true
    })

Endpoint I am trying to access:

@RestController
@CrossOrigin(
        origins = {"http://127.0.0.1:3000/"},
        allowCredentials = "true",
        maxAge = 3600,
        allowedHeaders = "*",
        methods= {RequestMethod.GET,RequestMethod.POST,
                RequestMethod.DELETE, RequestMethod.PUT,
                RequestMethod.PATCH, RequestMethod.OPTIONS,
                RequestMethod.HEAD, RequestMethod.TRACE}
)
@RequestMapping("/test")
public class PingController {
    @GetMapping("/a")
    public void formPage(){
        System.out.println("a");
    }
}

Response in browser

CodePudding user response：

Can you use the annotation to secure ure api

 @RequestMapping("/test")
public class PingController {
    @GetMapping("/a")
    @PreAuthorize( value="isAuthenticated()")
    public void formPage(){
        System.out.println("a");
    }
}

and in ure config :

 @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors().and().csrf().disable()
                .exceptionHandling().authenticationEntryPoint(unauthorizedHandler).and()
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
                .authorizeRequests().antMatchers("/api/auth/**").permitAll()
                .antMatchers("/api/test/**").permitAll()
                .anyRequest().authenticated();
        http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class);
    }

CodePudding user response：

Modify your HTTPSecurity method and add http.authorizeRequests().antMatchers("/test/a/**").permitAll();