JQuery POST giving 403 forbidden error in spring mvc

Question

JQuery POST giving 403 forbidden error in spring mvc

I want to make an ajax call using $ .POST. But I get error 403. But GET works fine. My code is:

var url = "/xyz/abc/subscribe?name="+name; $.post(url, function(data){ alert(data); });

Controller Code:

 @RequestMapping(value = "/xyz/abc/subscribe", method = RequestMethod.POST) public @ResponseBody String subscribe(@RequestParam("name") String name) throws Exception { String message = "TESTING"; return message; }

But I get a 403 error.

+13

jquery post spring-mvc http-status-code-403

user3729782 Aug 6 '14 at 11:55

source share

5 answers

Emiliano schiano · Answer 1 · 2015-05-26T23:45:26+0000

When using Spring Security with Java configuration, CSRF protection is enabled by default. In this context, if you make an Ajax request to the REST endpoint using the POST method, you will get the csrf token error.

To solve this problem, there are two options:

Option 1: disable csrf

 @Override protected void configure (HttpSecurity http) throws Exception { http.csrf().disable(); }

Option 2: Add csrf to the ajax request. Look here

izilotti · Answer 2 · 2015-09-01T16:58:27+0000

You may need to add the csrf token to the request.

Obtaining a token using JSTL should be fairly simple. If you are using Thymeleaf, here is how to get it.

 <script th:inline="javascript"> /*<![CDATA[*/ var _csrf_token = /*[[${_csrf.token}]]*/ ''; var _csrf_param_name = /*[[${_csrf.parameterName}]]*/ ''; /*]]>*/ </script>

Then add it to your query:

 var requestData = { 'paramA': paramA, 'paramB': paramB, }; requestData[_csrf_param_name] = _csrf_token; // Adds the token $.ajax({ type: 'POST', url: '...your url...', data: requestData, ... });

If all goes well, the request should include something like _csrf: 1556bced-b323-4a23-ba1d-5d15428d29fa (csrf token) and you will get 200 instead of 403.

Benoitj · Answer 3 · 2017-09-27T13:58:47+0000

If you look at the source code of CSRFilter, you will see that the filter is waiting for csrfToken in the header or request parameter. In my configuration, the key "_csrf" was the correct key in the request parameter. So I added this parameter to my mail call.

  var csrfCookie = getCsrfCookie(); alert(csrfCookie); function getCsrfCookie() { var ret = ""; var tab = document.cookie.split(";"); if(tab.length>0){ var tab1 = tab[0].split("="); if(tab1.length>1) { ret =tab1[1]; } } return ret; } $http.post('/testPost?_csrf='+csrfCookie).success(function (response) { alert("post : "+response); return response; });

With this he works for me.

VK321 · Answer 4 · 2019-01-21T20:57:21+0000

This is an example without disabling CSRF.

Step 1: Add CSRF to Your Header Like This

 <meta th:name="${_csrf.parameterName}" th:content="${_csrf.token}"/>

Step 2: make a call with a token

 $( "#create_something" ).click(function() { var token = $("meta[name='_csrf']").attr("content"); $.ajax({ url : '/xxxxxxxxxxxx', // url to make request headers: {"X-CSRF-TOKEN": token}, //send CSRF token in header type : 'POST', success : function(result) { alert(result); } }) });

Patrick grimard · Answer 5 · 2014-08-06T18:46:08+0000

You are trying to make a POST request to a REST endpoint that you are not authorized to. Either your session has become invalid, or the user you are logging in with, because it does not have permissions, such as @geoand, which are already specified.

JQuery POST giving 403 forbidden error in spring mvc

More articles: