Spring Security Access Denied 403 After Post
I've tried almost everything in other posts about this, nothing related to my problem.
If I try to restore my url via GET (ex: path / users / edit / 1) everything works fine and I redirect to the user edit page, but if I try to access this page via POST spring security denies my access to page.
Both methods show up in my controller class.
@RequestMapping(value="/users/edit/{id}", method={RequestMethod.POST,RequestMethod.GET})
public ModelAndView login(ModelAndView model, @PathVariable("id") int id ) {
model.addObject("user", this.userService.getUserById(id));
model.setViewName("/users/add"); //add.jsp
return model;
}
My form I am using post
<f:form method="post" action="/users/edit/${user.id}">
<button type="submit">Edit</button>
</f:form>
Spring security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/secure**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<intercept-url pattern="/secure/users**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<!-- access denied page -->
<access-denied-handler error-page="/denied" />
<form-login
login-page="/home"
default-target-url="/secure"
authentication-failure-url="/home?error"
username-parameter="inputEmail"
password-parameter="inputPassword" />
<logout logout-success-url="/home?logout" />
<!-- enable csrf protection -->
<csrf/>
</http>
<!-- Select users and user_roles from database -->
<authentication-manager>
<authentication-provider>
<password-encoder hash="md5" />
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query=
"SELECT login, senha, ativo
FROM usuarios
WHERE login = ?"
authorities-by-username-query=
"SELECT u.login, r.role
FROM usuarios_roles r, usuarios u
WHERE u.id = r.usuario_id
AND u.login = ?" />
</authentication-provider>
</authentication-manager>
source to share
I noticed that you are using csrf protection, which by default protects any HTTP verb that modifies a resource (e.g. PUT, POST, DELETE, ...). If you are using a Spring form tag, the csrf token should be automatically included as hidden input in your form. You have to check the source in your browser to check the csrf token, otherwise you need something like this:
<input type="hidden"
name="${_csrf.parameterName}"
value="${_csrf.token}"/>
You can read more about csrf security / configuration in Spring.
source to share
You can just use <sec:csrfInput/>
like this:
<f:form method="post" action="/users/edit/${user.id}">
<button type="submit">Edit</button>
<sec:csrfInput/>
</f:form>
And please don't forget to import spring security tags
<%@ taglib uri="http://www.springframework.org/security/tags" prefix="sec" %>
source to share
I know this is an old post, but I want to post it in case someone comes across this while searching like me.
Make sure you have the correct annotations for the class that extends WebSecurityConfigurerAdapter
@Configuration
@EnableWebSecurity
I missed this and spent several hours working on a problem that was not there.
source to share