Playframework: Setting the Authorization header on WS request causes unexpected Forbidden response

Created on 18 Aug 2017  路  3Comments  路  Source: playframework/playframework

Play Version (2.5.x / etc)

2.6.1

API (Scala / Java / Neither / Both)

Scala

Operating System (Ubuntu 15.10 / MacOS 10.10 / Windows 10)

MacOS 10.12.6

JDK (Oracle 1.8.0_72, OpenJDK 1.8.x, Azul Zing)

java version "1.8.0_131"

Actual Behavior

When I am setting an authorization header to a POST request, then testing it on test Server router, it takes unexpected AhcWSResponse(StandaloneAhcWSResponse(403, Forbidden)). I don't have any 403 case on my code. When I am removing that header, I am getting Unauthorized response and it is an expected response on my code.

def authorizationHeader(s: String): (String, String) =
    play.api.http.HeaderNames.AUTHORIZATION -> s"Bearer $s"

ws.url(endpoint)
      .addHttpHeaders(authorizationHeader("somestring"))
      .post(Json.toJson(foo))
      .flatMap { response =>

        response.status match {
          case OK =>
            // do something
          case ACCEPTED =>
            // do something
          case BAD_REQUEST | UNAUTHORIZED | INTERNAL_SERVER_ERROR =>
            // do something
          case unexpected @ _ =>
            Future.failed(
              new RuntimeException(
                s"unexpected response code: $unexpected"
              )
            )
        }
      }
needs-info
Source
picture ferhtaydn

Most helpful comment

This may be because of a CSRF check, which seems like it checks for a CSRF token if there's a Cookie or Authorization token present. See:

https://github.com/playframework/playframework/blob/36ae22d3536f98c7c9726acfe89b45577fb0e668/framework/src/play-filters-helpers/src/main/resources/reference.conf#L56-L67

Can you try putting play.filters.disabled+=play.filters.csrf.CSRFFilter into your application.conf and see if that changes things?

picture richdougherty on 21 Aug 2017
👍2

All 3 comments

This may be because of a CSRF check, which seems like it checks for a CSRF token if there's a Cookie or Authorization token present. See:

https://github.com/playframework/playframework/blob/36ae22d3536f98c7c9726acfe89b45577fb0e668/framework/src/play-filters-helpers/src/main/resources/reference.conf#L56-L67

Can you try putting play.filters.disabled+=play.filters.csrf.CSRFFilter into your application.conf and see if that changes things?

richdougherty picture richdougherty on 21 Aug 2017
👍2

Thanks,

Bypassing the Authorization header solved the problem.

filters.csrf.header.bypassHeaders {
  Authorization = "*"
}
ferhtaydn picture ferhtaydn on 21 Aug 2017
👍1

Great!

richdougherty picture richdougherty on 21 Aug 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

gmethvin picture gmethvin  路  3Comments
promanenko picture promanenko  路  5Comments
gilles-degols picture gilles-degols  路  3Comments
sthomp picture sthomp  路  5Comments
aselamal picture aselamal  路  3Comments