Hey there, let's break down why you're getting that 403 Forbidden error when sending a POST to your login endpoint while building out auth for your Kotlin REST API. Here are the most common culprits and fixes to check:

1. Spring Security CSRF Protection is Blocking Your Request #

By default, Spring Security enables CSRF protection, which blocks POST requests that don't include a valid CSRF token. For API-only use cases (like mobile apps or decoupled frontends), this is often unnecessary.

Fix: Disable CSRF in your Spring Security configuration (adjust for your Spring Security version):

@Bean
fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
    http.csrf { it.disable() } // Disable CSRF for API endpoints
    // Rest of your security rules...
    return http.build()
}

If you need to keep CSRF enabled (for web forms), make sure your POST request includes the X-XSRF-TOKEN header with the token fetched from the server's XSRF-TOKEN cookie.

2. Your Security Rules Aren't Allowing Access to Login/Signup Endpoints #

Double-check that your Spring Security config explicitly permits unauthenticated access to your login and signup URLs. If these endpoints are being blocked by authentication rules, you'll get a 403.

Example Correct Configuration:

@Bean
fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
    http.authorizeHttpRequests { auth ->
        auth.requestMatchers(HttpMethod.POST, "/signup", "/login").permitAll()
            .anyRequest().authenticated()
    }
    // Add other config (like form login or OAuth2) here
    return http.build()
}

Also verify that your request URL exactly matches what's configured (check for typos, path prefixes, or case sensitivity).

3. Password Encoder Mismatch Between Signup and Login #

You're using BCryptPasswordEncoder to hash passwords in your SignUpController, but if Spring Security isn't using the same encoder during login validation, authentication will fail—sometimes resulting in a 403 instead of a 401.

Fix: Ensure you've defined a PasswordEncoder bean in your configuration:

@Bean
fun passwordEncoder(): PasswordEncoder {
    return BCryptPasswordEncoder()
}

Spring Security will automatically use this bean for password validation during login.

4. Controller Annotation Might Be Causing Unexpected Behavior #

You're using @Controller instead of @RestController for your SignUpController. While this doesn't directly cause a 403, it can lead to unexpected response handling (like trying to resolve a view instead of returning JSON). For API controllers, switch to @RestController or add @ResponseBody to your POST methods.

5. CORS Configuration Issues (If Requesting From a Different Origin) #

If your login request is coming from a frontend app on a different domain/port, incorrect CORS settings can trigger a 403. Make sure your Spring Security config allows cross-origin requests:

@Bean
fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
    http.cors { cors ->
        cors.configurationSource {
            val config = CorsConfiguration()
            config.allowedOrigins = listOf("http://your-frontend-domain:port")
            config.allowedMethods = listOf("POST", "GET")
            config.allowedHeaders = listOf("*")
            config.allowCredentials = true
            UrlBasedCorsConfigurationSource().apply {
                registerCorsConfiguration("/**", config)
            }
        }
    }
    // Rest of your config...
    return http.build()
}

If you're still stuck, could you share:

• Your full Spring Security configuration class
• The complete code for your login endpoint controller
• The exact request headers and body you're sending (redact sensitive info like passwords)

That'll help narrow down the issue further!

内容的提问来源于stack exchange，提问作者Jason Miesionczek