Spring Security Access denied 403 after post
I noticed you're using csrf protection, which by default protects any HTTP verb that modifies a resource (e.g. PUT, POST, DELETE,...). If you're using Spring's form tag, a csrf token should be automatically included as a hidden input in your form. You should check the source in your browser to verify the csrf token is there, otherwise you'll need something like this:
<input type="hidden"
name="${_csrf.parameterName}"
value="${_csrf.token}"/>
You can read more about csrf protection/configuration in Spring reference.
Lucas Freitas
Updated on July 09, 2022Comments
-
Lucas Freitas almost 2 years
I've tried almost everything in the others posts about it, nothing is related with my problem.
If I try to recover my URL via GET (ex: path/users/edit/1 ) everything works fine and I get redirected to the user edit page, but If I try to access this page via POST, the spring security deny my access to the page.
Both of the methods are mapped in my controller class.
@RequestMapping(value="/users/edit/{id}", method={RequestMethod.POST,RequestMethod.GET}) public ModelAndView login(ModelAndView model, @PathVariable("id") int id ) { model.addObject("user", this.userService.getUserById(id)); model.setViewName("/users/add"); //add.jsp return model; }
My form which I use post
<f:form method="post" action="/users/edit/${user.id}"> <button type="submit">Edit</button> </f:form>
Spring security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd"> <!-- enable use-expressions --> <http auto-config="true" use-expressions="true"> <intercept-url pattern="/secure**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" /> <intercept-url pattern="/secure/users**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" /> <!-- access denied page --> <access-denied-handler error-page="/denied" /> <form-login login-page="/home" default-target-url="/secure" authentication-failure-url="/home?error" username-parameter="inputEmail" password-parameter="inputPassword" /> <logout logout-success-url="/home?logout" /> <!-- enable csrf protection --> <csrf/> </http> <!-- Select users and user_roles from database --> <authentication-manager> <authentication-provider> <password-encoder hash="md5" /> <jdbc-user-service data-source-ref="dataSource" users-by-username-query= "SELECT login, senha, ativo FROM usuarios WHERE login = ?" authorities-by-username-query= "SELECT u.login, r.role FROM usuarios_roles r, usuarios u WHERE u.id = r.usuario_id AND u.login = ?" /> </authentication-provider> </authentication-manager>
-
Lucas Freitas about 9 yearsThat's it! Thank you!
-
Admin about 4 yearsIf you are using Thymeleaf with Spring Boot, this manual way is only needed on login template. There is automatic way how to add CSRF token with
th:action
:<form action="#" th:action="@{/ingredients}" th:object="${ingredient}" method="post">