Debugging a SpringBoot CSRF 404 Error: From @GetMapping to @PostMapping
The author describes how changing a SpringBoot controller annotation from @GetMapping to @PostMapping caused a silent 404 error, how a teammate quickly fixed it by disabling CSRF, and how a visual tool helped reveal the underlying filter-chain behavior.
Last Friday the author encountered a puzzling bug after changing a SpringBoot controller annotation from @GetMapping to @PostMapping, which resulted in a 404 error without any WARN or ERROR logs.
Debugging the logs revealed no obvious exception, and a teammate noticed that CSRF protection was enabled while the request lacked a token.
The teammate resolved the issue by disabling CSRF with the line .csrf().disable(), after which the endpoint worked correctly.
The author then used the XCodeMap plugin to generate a dynamic sequence diagram of the SpringBoot filter chain, identifying that the request was blocked in CsrfFilter and an AccessDeniedHandler was invoked, leading to the 404 because no custom “/403” page was configured.
The post explains the basic CSRF mechanism (comparing a token from the request header/parameter with one from a cookie) and illustrates how proper token handling prevents CSRF attacks.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Architect's Guide
Dedicated to sharing programmer-architect skills—Java backend, system, microservice, and distributed architectures—to help you become a senior architect.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.