0
0
SpringbootDebug / FixBeginner · 4 min read

How to Fix 403 Forbidden Error in Spring Security

A 403 Forbidden error in Spring Security usually means the user lacks permission to access a resource. Fix it by correctly configuring HttpSecurity authorization rules and ensuring the user has the required roles or authorities.
🔍

Why This Happens

A 403 Forbidden error occurs when Spring Security blocks access because the current user does not have the required permissions. This often happens if the security rules are too strict or roles are not assigned properly.

java
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
            .antMatchers("/admin/**").hasRole("ADMIN")
            .anyRequest().authenticated()
            .and()
            .formLogin();
    }
}
Output
HTTP Status 403 – Forbidden Access Denied: You do not have permission to access this page.
🔧

The Fix

Update your security configuration to ensure users have the correct roles and that role prefixes match. Also, verify that the user is authenticated and granted the needed authorities.

java
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
            .antMatchers("/admin/**").hasRole("ADMIN")
            .anyRequest().authenticated()
            .and()
            .formLogin();
    }
}
Output
Access granted to /admin page when logged in as user with ROLE_ADMIN.
🛡️

Prevention

Always assign correct roles with proper prefixes (e.g., ROLE_) and keep your authorization rules clear and consistent. Test user roles and permissions early to avoid 403 errors. Use logging to trace access denials.

⚠️

Related Errors

  • 401 Unauthorized: Happens when the user is not authenticated; fix by enabling login.
  • 404 Not Found: Resource missing, not a security issue.
  • Access Denied Exception: Check your method-level security annotations and roles.

Key Takeaways

403 Forbidden means the user lacks permission to access the resource.
Ensure roles have correct prefixes like ROLE_ and match your security rules.
Configure HttpSecurity authorization rules carefully to allow access.
Test user roles and permissions early to catch access issues.
Use logging to diagnose and prevent access denials.

Related by keyword

How to Return Error Response in Spring Boot: Simple GuideError HandlingHow to Add Spring Security to Your Project QuicklySecurityHow to Configure CORS in Spring Security: Simple GuideSecurityHow to Configure Spring Security: Simple Setup GuideSecurityHow to Create Login in Spring Security: Simple GuideSecurity

Up next

How to Use STOMP with Spring Boot: Simple GuideHow to Use WebSocket in Spring Boot: Simple GuideSpring Boot vs Django: Key Differences and When to Use EachSpring Boot vs Express: Key Differences and When to Use Each

More in Common Errors

How to Fix 401 Unauthorized Error in Spring ApplicationsFix 415 Unsupported Media Type Error in Spring Boot QuicklyHow to Fix Bean Not Found Error in Spring BootHow to Fix Circular Dependency in Spring Framework