PUT and POST not allowed

I’m trying to build a customer facing app that’s using the app-portal. My controller works fine as long as the request is GET. However if I try a POST or PUT I get an error. The PUT error is below:

PUT http://localhost:8080/app-portal/user/1 405 (Method Not Allowed)

I created a CORSFilter in hopes that it would allow these requests to go through, but had no luck. Any ideas?

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
    System.out.println("Filtering on...........................................................");
    HttpServletResponse response = (HttpServletResponse) res;
    response.setHeader("Access-Control-Allow-Origin", "*");
    response.setHeader("Access-Control-Allow-Methods", "POST, GET, PUT, OPTIONS, DELETE");
    response.setHeader("Access-Control-Max-Age", "3600");
    response.setHeader("Access-Control-Allow-Headers", "x-requested-with, Content-Type");
    chain.doFilter(req, res);



can you show the Spring MVC controller class? Normally in order to work with different HTTP methods in the controller, the controller method has to be annotated with:

@RequestMapping(method = {RequestMethod.PUT}

If you can share the code it should be a little clearer. Or are you using the generic API of CUBA?

@RequestMapping(value = “/user/{id}”, method = RequestMethod.PUT)
public ResponseEntity updateUser(@PathVariable(“id”) long id, @RequestBody UserInfo user) {

That is the methos I’m trying to call. The methods I have marked with “GET” work just fine.

Hi Kent,

It is worth mentioning that CUBA REST-API does not use Spring Security filtering.
You have to disable Spring Security filtering for your API URLs in portal-security-spring.xml to be able to perform requests with custom CORS policy:

    <http pattern="/user/**" security="none"/>

And then set method PUT for a method of your controller:

public class UserController {

    private Logger log = LoggerFactory.getLogger(UserController.class);

    @RequestMapping(path = "{id}", method = RequestMethod.PUT, produces = "application/json")
    public String create(@PathVariable String id, @RequestBody String userInfo) {
        log.info("Put new user {} with info {}", id, userInfo);

        return "{\"status\": \"ok\"}";

I’ve attached sample project, so you can try it in action.

portal-put-demo.zip (31.5K)

Is there a way to get CUBA Rest to work with SpringSecurity? The current application I’m working on doesn’t really require it, but in the future we are wanting to create a customer facing portal that mimics much of what we are doing in the web module.


CUBA does not use Spring Security for REST-API because we have our own security model described here: [url=https://doc.cuba-platform.com/manual-6.1/security_subsystem.html]https://doc.cuba-platform.com/manual-6.1/security_subsystem.html[/url]. CUBA Security model is powerful, so you can fine-tune your security from the web application and all security rules will be applied for REST-API requests. We don’t have different URLs for resources in the current version of REST-API so Spring Security model is not suitable for CUBA REST-API.

We are planning to add RESTful URLs support and much more functionality for public-facing portals in one of the next minor releases planned for September 2016. It seems that Spring Security will be suitable for public-facing portals that use REST-API with these new features.

I tried with

<http pattern="/user/**" security="none"/> 

it is not working without token being passed. says

"error": "unauthorized", 
"error_description": "An Authentication object was not found in the SecurityContext" 

I am trying ro make a POST call to register the users anonymously.


It is hard to say what is wrong with your code without a sample/test project. Could you please create a small project on github where this problem can be reproduced?

For what is worth after 2yrs, I’ve had the same problem: the solution is to fetch the anonymous security context at the start of the function:

UUID anonymousSessionId = globalConfig.getAnonymousSessionId();
AppContext.setSecurityContext(new SecurityContext(anonymousSessionId));