Jquery POST giving 403 forbidden error in spring mvc

Asked 6/8, 2014 at 11:55 Answered 21/1, 2019 at 20:57

jquery spring-mvc post http-status-code-403

I want to make a ajax call using $.POST. But I am getting 403 error. But GET works perfectly fine. My code is:

var url = "/xyz/abc/subscribe?name="+name;
$.post(url, function(data){
    alert(data);
});

The controller code is :

@RequestMapping(value = "/xyz/abc/subscribe", method = RequestMethod.POST)
public @ResponseBody
    String subscribe(@RequestParam("name") String name)
        throws Exception {
    String message = "TESTING";
    return message;
}

But I'm getting a 403 error.

Etam answered 6/8, 2014 at 11:55 Comment(5)

Do you have any error in the application server logs? – Alberich 6/8, 2014 at 11:57

No...I did not find any error. – Etam 6/8, 2014 at 12:12

I am getting in logs: org.springframework.security.access.AccessDeniedException: Access is denied – Etam 6/8, 2014 at 13:40

403 means that the server can correctly authenticate the user, but that the user does not have the appropriate rights to perform the selected operation. Are you using Spring security? If so, post the relevant configuration – Sibylle 6/8, 2014 at 14:5

I had the similar error and still it is not resolved #25801157 – Demi 12/9, 2014 at 15:31

Using Spring Security with Java configuration, CSRF protection is enabled by default. In this context, if you make an Ajax request to a REST endpoint using POST method, you will get a csrf token missing error.

To solve this, there are two options:

Option 1: Disable csrf

@Override
protected void configure (HttpSecurity http) throws Exception {
    http.csrf().disable();
}

Option 2: Add csrf to the ajax request. See here

Holster answered 26/5, 2015 at 23:45 Comment(6)

@Override of configure assumes your controller is a subclass of what type/class? – Headlong 24/9, 2015 at 15:0

A sublcass of org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter – Holster 24/9, 2015 at 19:0

A must have glimpse at this:- 16.3 When to use CSRF protection When should you use CSRF protection? Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection. SRC: docs.spring.io/spring-security/site/docs/current/reference/html/… – Overfill 22/5, 2016 at 4:36

Check this out : #27835367 for how to put the csrf token through jquery-ajax. – Overfill 22/5, 2016 at 5:8

Worth highlighting that the Option 1. is not recommended as it can be risky. – Novgorod 14/2, 2017 at 21:42

I was writing a POST request using requests library in Python, and the GET method worked, while POST didn't. Disabling the CSRF protection solved the problem. Thank You! – Doreathadoreen 26/5, 2018 at 11:22

You might want to add the csrf token to the request.

Obtaining the token using JSTL should be pretty straightforward. If you are using Thymeleaf, here is how to obtain it.

<script th:inline="javascript">
    /*<![CDATA[*/
    var _csrf_token = /*[[${_csrf.token}]]*/ '';
    var _csrf_param_name = /*[[${_csrf.parameterName}]]*/ '';
    /*]]>*/
</script>

Then, add it to your request:

var requestData = {
    'paramA': paramA,
    'paramB': paramB,
};
requestData[_csrf_param_name] = _csrf_token; // Adds the token

$.ajax({
    type: 'POST',
    url: '...your url...',
    data: requestData,
    ...
});

If everything goes well, the request should include something like _csrf:1556bced-b323-4a23-ba1d-5d15428d29fa (the csrf token) and you will get a 200 instead of a 403.

Itinerary answered 1/9, 2015 at 16:58 Comment(1)

This helps, but only if I change csrf_param_name to csrf. How do you know the name to use for the variable ? – Restraint 21/3, 2022 at 4:54

This is an example of without disabling CSRF.

Step 1: In your header add CSRF like this

<meta th:name="${_csrf.parameterName}" th:content="${_csrf.token}"/>

Step 2: Make call with token

$( "#create_something" ).click(function() {

  var token = $("meta[name='_csrf']").attr("content");

  $.ajax({
    url : '/xxxxxxxxxxxx', // url to make request
    headers: {"X-CSRF-TOKEN": token}, //send CSRF token in header
    type : 'POST',
    success : function(result) {
        alert(result);
    }
  })
});

Clypeate answered 21/1, 2019 at 20:57 Comment(0)

If you look to CSRFilter source code, you will see that the filter is waiting for csrfToken on header or query parameter. In my configuration, the key "_csrf" was the right key in query parameter. So, I added this parameter in my post call.

      var csrfCookie = getCsrfCookie();
    		alert(csrfCookie);
    		
    	function getCsrfCookie()
    	{
    		var ret = "";
    		var tab = document.cookie.split(";");
    		
    		if(tab.length>0){
    			var tab1 = tab[0].split("=");
    			if(tab1.length>1)
    			{
    				ret =tab1[1];
    			}
    		}
    		return ret;
    	}
    	
    	$http.post('/testPost?_csrf='+csrfCookie).success(function (response) {
             alert("post : "+response);
              return response;
          });

With this, it works for me.

Hoosegow answered 27/9, 2017 at 13:58 Comment(0)

-3

You're trying to make a POST request to a REST endpoint you're not authorized to. Either your session has become invalid, or the user you're logging in as doesn't have authority like @geoand already pointed out.

Pennant answered 6/8, 2014 at 18:46 Comment(0)

Recommended topics

Hot tags