Geek Answers Handbook

Spring Security - all jQuery Ajax messages return 404

All my $.ajax , both POST and GET , worked fine, but as soon as I included Spring security 3.2.6 in my project, the ajax POST requests stopped working without uploading any problems.

spring -security.xml

 <beans:beans xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.springframework.org/schema/security" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.2.xsd"> <!--Permit all Web resources to bypass proxy--> <http pattern="/js/**" security="none"/> <http pattern="/css/**" security="none"/> <http pattern="/fonts/**" security="none"/> <http pattern="/images/**" security="none"/> <http auto-config="true" use-expressions="true" > <intercept-url pattern="/login" access="isAnonymous()"/> <intercept-url pattern="/workflow**" access="hasRole('ROLE_WORKFLOW_ADMIN')"/> <intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN','ROLE_WORKFLOW_ADMIN','ROLE_DMS_ADMIN')"/> <access-denied-handler error-page="/403"/> <form-login login-page="/login" default-target-url="/dashboard" authentication-failure-url="/login?error" username-parameter="username" password-parameter="password"/> <logout invalidate-session="true" logout-success-url="/login?logout"/> <csrf/> </http> <!-- Select users and user_roles from database --> <authentication-manager> <authentication-provider ref="daoAuthenticationProvider"/> </authentication-manager> <beans:bean id="daoAuthenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider"> <beans:property name="userDetailsService" ref="authService"/> </beans:bean> </beans:beans>

web.xml

 <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5"> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <servlet> <servlet-name>mvc-dispatcher</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>mvc-dispatcher</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> <context-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/mvc-dispatcher-servlet.xml /WEB-INF/spring-security.xml </param-value> </context-param> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <error-page> <exception-type>java.lang.Throwable</exception-type> <location>/error</location> </error-page> <error-page> <error-code>500</error-code> <location>/error</location> </error-page> </web-app>

Edit

The url I'm trying to get is

http: // localhost: 8080 / ADMIN / workflow / sample-ajax

Could there be something with spring security?

+7
jquery spring ajax spring-mvc spring-security
source share
3 answers

Finally, after three painful days, I found the problem, and the boy was stupid.

The problem was that I turned on csrf protection in spring security. And this led to my mail requests being denied, which causes the access-denied-handler error page, since I did not map my access-denied-handler page to the "/403" error, as shown below, my http 403/401 was masked http 404

 <access-denied-handler error-page="/403"/>

So in Short

  • Map the access-denied-handler error page to a valid url
  • If you use csrf protection, then always check that you pass them to the post ajax request as such

$. ajax ({method: 'POST', url: '/ ajax', data: {"$ {_ csrf.parameterName}": "$ {_ csrf.token}"}});

+10
source share

There is another situation that you need to specifically consult when implementing spring security 4, you need a form button (and not "href").

https://spring.io/blog/2013/08/21/spring-security-3-2-0-rc1-highlights-csrf-protection/#ajax-requests .

A> the sent form request is sent: the input type is hidden in and the input / output buttons

 <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>

B> For the subsequent AJAX request, add the following on the JSP page after the taglib declarations.

 <meta name="_csrf" content="${_csrf.token}" /> <meta name="_csrf_header" content="${_csrf.headerName}" />

and some where above the body tag in jsp closes somewhere when it's "ready"

 <script type="text/javascript"> $(function() { var token = $("meta[name='_csrf']").attr("content"); var header = $("meta[name='_csrf_header']").attr("content"); $(document).ajaxSend(function(e, xhr, options) { xhr.setRequestHeader(header, token); }); }); </script>

That should work! If you still have problems with CORS, see the article below. http://www.html5rocks.com/en/tutorials/cors/

+3
source share

Have you tried using a regular HTTP request to use spring security, for which you must use a specific set of variable names, you can use it.

Also check if you can send an email request to a limited URL using AJAX.

0
source share

More articles:


All Articles