Debugging a SpringBoot CSRF 404 Error: From @GetMapping to @PostMapping
The author describes how changing a SpringBoot controller annotation from @GetMapping to @PostMapping caused a silent 404 error, how a teammate quickly fixed it by disabling CSRF, and how a visual tool helped reveal the underlying filter-chain behavior.
Last Friday the author encountered a puzzling bug after changing a SpringBoot controller annotation from @GetMapping to @PostMapping , which resulted in a 404 error without any WARN or ERROR logs.
Debugging the logs revealed no obvious exception, and a teammate noticed that CSRF protection was enabled while the request lacked a token.
The teammate resolved the issue by disabling CSRF with the line .csrf().disable() , after which the endpoint worked correctly.
The author then used the XCodeMap plugin to generate a dynamic sequence diagram of the SpringBoot filter chain, identifying that the request was blocked in CsrfFilter and an AccessDeniedHandler was invoked, leading to the 404 because no custom “/403” page was configured.
The post explains the basic CSRF mechanism (comparing a token from the request header/parameter with one from a cookie) and illustrates how proper token handling prevents CSRF attacks.
Architect's Guide
Dedicated to sharing programmer-architect skills—Java backend, system, microservice, and distributed architectures—to help you become a senior architect.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.