Geek Answers Handbook

403 Forbidden error with ajax get Spring request

I get 403 forbidden -error every time I try GET to get user information from the database. As for my code below, every time I try to execute a request by clicking the Ajax Test button, it does not start and gives me a warning, but also in the console gives me 403 forbidden -error. I'm not sure if this is related to Spring security?

JSP user page:

 <table> <tr> <td>User Id</td> <td>Full Name</td> <td>Username</td> <td>Email</td> <td>Date of Birth</td> <td>User Authority</td> <td>Update </td> <td>Delete</td> </tr> <c:forEach var="user" items="${users}"> <tr> <td><c:out value="${user.id}" /></td> <td><c:out value="${user.name}"/></td> <td><c:out value="${user.username}"/></td> <td><c:out value="${user.email}"/></td> <td><c:out value="${user.dob}"/></td> <td><c:out value="${user.authority}"/></td> <td> <a id="update" href="<c:url value="/viewUser"><c:param name="id" value="${user.id}"/></c:url>"><button>Update</button></a> </td> <td> <a id="delete" href="<c:url value="/deleteUser"><c:param name="id" value="${user.id}"/></c:url>"><button>Delete</button></a> </td> <td> <button class="loadUser" name="id" value="${user.id}">Ajax test</button> </td> </tr> </c:forEach> </table> <div id="personIdResponse"> </div> <script type="text/javascript"> $(document).ready(function(){ $(".loadUser").click(function(e) { e.preventDefault(); var personId = +$(this).val(); $.get('${pageContext.request.contextPath}/SDP/ajaxTest/' + personId, function(user) { $('#personIdResponse').text(user.name + ', = username ' + user.username); }) .fail(function(user){ alert('Could not load user'); }); }); }); </script>

User Controller Class:

  @RequestMapping("/viewUser") public String updateUser(Model model, @RequestParam(value = "id", required = false) Integer id) { User user = usersService.getUser(id); model.addAttribute("user", user); return "settings"; } @RequestMapping("/ajaxTest") @ResponseBody public User ajaxTest(@RequestParam(value = "id", required = false) Integer id) { User user = usersService.getUser(id); return user; }
+4
java jquery spring ajax spring-mvc
source share
5 answers

This is usually caused by Spring's default CSRF protection.

If you use, for example, a DELETE HTTP request from your JS code, you must also send CSRF security headers.

No need to disable CSRF protection! Please do not do this if not necessary.

You can easily add CSRF AJAX / REST protection:

1. Adding meta headers to each page (use @ layout.html or something else):

 <head> <meta name="_csrf" th:content="${_csrf.token}"/> <meta name="_csrf_header" th:content="${_csrf.headerName}"/> </head>

2. By setting up your ajax requests to send these headers for each request:

 $(function () { var token = $("meta[name='_csrf']").attr("content"); var header = $("meta[name='_csrf_header']").attr("content"); $(document).ajaxSend(function(e, xhr, options) { xhr.setRequestHeader(header, token); }); });

Note that I use thymeleaf, so I use th: content instead of the content attribute.

+19
source share

If you use Spring Security 3.2R1 and later, try using this solution http://spring.io/blog/2013/08/21/spring-security-3-2-0-rc1-highlights-csrf-protection

+4
source share

As with Spring Security 4.0, CSRF protection is enabled by default with XML configuration. If you want to disable CSRF protection, the corresponding XML configuration can be seen below.

 <security:http use-expressions="true"> ... <security:csrf disabled="true" /> </security:http>
+2
source share

Check file permissions. 403 - server error, not Ajax. Try to check the requested file (by file I mean url) directly.

+1
source share

In Spring Rest or other REST implementations (e.g. Jersey ), if there are no corresponding resources on the server side, then 403 Forbidden is invoked by REST containers.

You need to re-check req-response annotations.

For example, for an ajaxTest request ajaxTest try this change:

 @RequestMapping("/ajaxTest/{personid}", method=RequestMethod.GET) @ResponseBody public User ajaxTest(@PathVariable Integer personid) { .. }

Basically, the user ID does not look like a request parameter (which we set in the GET URL ), try switching to PathVariable , and if you are not sure about the default method in Spring Rest , explicitly define for which HTTP-Method this method should be called.

In 403 , this implies that operation not allowed or many similar reasons, except for the auth error. See http://en.wikipedia.org/wiki/HTTP_403 for various possibilities.

0
source share

More articles:


All Articles