After updating a SpringBoot-Application with spring-boot-starter-security on TAS to 3.5.0, setting loglevels in apps manager is not possible anymore. Despite the loglevels are displayed, change to another level does not work.

Checking the logfiles you will see that POST-requests to /cloudfoundryapplication/loggers/* are answered with HTTP 401. E.g

   2025-06-13T13:53:53.40+0200 [RTR/0] OUT demo-actuator-app-3-5-0.example.com - [2025-06-13T11:53:53.383258524Z] "POST /cloudfoundryapplication/loggers/ROOT HTTP/1.1" 401 26 125 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36" "###.###.###.24:42210" "###.###.###.7:61046" x_forwarded_for:"###.###.###.132, ###.###.###.24" x_forwarded_proto:"https" vcap_request_id:"03167743-390c-4ee3-6e00-1d134e8092c5" response_time:0.017188 gorouter_time:0.001138 app_id:"700318d4-fb61-4cce-9adc-f490975fa0ba" app_index:"0" instance_id:"1ec03e78-c3a4-41a4-4574-4358" failed_attempts:0 failed_attempts_time:"-" dns_time:0.000000 dial_time:0.000000 tls_time:0.000000 backend_time:0.016050 x_cf_routererror:"-" x_b3_traceid:"03167743390c4ee36e001d134e8092c5" x_b3_spanid:"6e001d134e8092c5" x_b3_parentspanid:"-" b3:"03167743390c4ee36e001d134e8092c5-6e001d134e8092c5"

Spring Boot 3.5.0

With #32622 we changed the security config from ignoring() to permitAll(). Unfortunately, the change also makes CSRF protection kick in which results in HTTP 401 responses.

Spring Boot 3.5.1 fixes this issue.

https://github.com/spring-projects/spring-boot/issues/45848