I have the same issue to you, every request is blocked by 403 error, except the [/] request. After a lot of time in crazy, I found the root cause, that is the [csrf].
Then my security config is like as following:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/delete/**").authenticated()
.and()
.httpBasic().and()
.csrf().disable();
}
This configuration says that: only [delete/**] should be authorized.
And I mark the [delete] action as following:
@PreAuthorize("hasRole('ROLE_ADMIN')")
void delete(String id);
Hope to help someone.