Jquery POST giving 403 forbidden error in spring mvc

Question

I want to make a ajax call using $.POST. But I am getting 403 error. But GET works perfectly fine. My code is:

var url = "/xyz/abc/subscribe?name="+name;
$.post(url, function(data){
    alert(data);
});

The controller code is :

@RequestMapping(value = "/xyz/abc/subscribe", method = RequestMethod.POST)
public @ResponseBody
    String subscribe(@RequestParam("name") String name)
        throws Exception {
    String message = "TESTING";
    return message;
}

But I'm getting a 403 error.

Answer 1

This is an example of without disabling CSRF.

Step 1: In your header add CSRF like this

<meta th:name="${_csrf.parameterName}" th:content="${_csrf.token}"/>

Step 2: Make call with token

$( "#create_something" ).click(function() {

  var token = $("meta[name='_csrf']").attr("content");

  $.ajax({
    url : '/xxxxxxxxxxxx', // url to make request
    headers: {"X-CSRF-TOKEN": token}, //send CSRF token in header
    type : 'POST',
    success : function(result) {
        alert(result);
    }
  })
});

Answer 2

Using Spring Security with Java configuration, CSRF protection is enabled by default. In this context, if you make an Ajax request to a REST endpoint using POST method, you will get a csrf token missing error.

To solve this, there are two options:

Option 1: Disable csrf

@Override
protected void configure (HttpSecurity http) throws Exception {
    http.csrf().disable();
}

Option 2: Add csrf to the ajax request. See here

Answer 3

If you look to CSRFilter source code, you will see that the filter is waiting for csrfToken on header or query parameter. In my configuration, the key "_csrf" was the right key in query parameter. So, I added this parameter in my post call.

      var csrfCookie = getCsrfCookie();
    		alert(csrfCookie);
    		
    	function getCsrfCookie()
    	{
    		var ret = "";
    		var tab = document.cookie.split(";");
    		
    		if(tab.length>0){
    			var tab1 = tab[0].split("=");
    			if(tab1.length>1)
    			{
    				ret =tab1[1];
    			}
    		}
    		return ret;
    	}
    	
    	$http.post('/testPost?_csrf='+csrfCookie).success(function (response) {
             alert("post : "+response);
              return response;
          });

With this, it works for me.

Answer 4

You might want to add the csrf token to the request.

Obtaining the token using JSTL should be pretty straightforward. If you are using Thymeleaf, here is how to obtain it.

<script th:inline="javascript">
    /*<![CDATA[*/
    var _csrf_token = /*[[${_csrf.token}]]*/ '';
    var _csrf_param_name = /*[[${_csrf.parameterName}]]*/ '';
    /*]]>*/
</script>

Then, add it to your request:

var requestData = {
    'paramA': paramA,
    'paramB': paramB,
};
requestData[_csrf_param_name] = _csrf_token; // Adds the token

$.ajax({
    type: 'POST',
    url: '...your url...',
    data: requestData,
    ...
});

If everything goes well, the request should include something like _csrf:1556bced-b323-4a23-ba1d-5d15428d29fa (the csrf token) and you will get a 200 instead of a 403.

Answer 5

You're trying to make a POST request to a REST endpoint you're not authorized to. Either your session has become invalid, or the user you're logging in as doesn't have authority like @geoand already pointed out.