Reputation: 71
Spring security, error 405 with protecting current post method
I use spring security with roles to protect current pages or actions with their own addresses of my application. With access denied page i can catch page of error 403 (access denied) when user tries to get not allowed page, but when i protect current action, like this:
<form th:action="'/blog/'+${el.id}+'/remove'" method="post">
<button class = "btn btn-warning" type="submit">Delete</button>
</form>
With current controller's method:
@PostMapping("/blog/{id}/remove")
public String blogPostRemove(@PathVariable(value = "id") long postId, Model model) {
Post post = postRepository.findById(postId).orElseThrow();
postRepository.delete(post);
return "redirect:/blog";
}
When user with not allowed role tries to act he will get page with error 405: There was an unexpected error (type=Method Not Allowed, status=405). Request method 'POST' not supported. User with allowed role doesn't have any problem. There is a WebSecurityConfig code:
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/unpublished","/blog/*/remove","/blog/*/comments/*/remove")
.hasAuthority("ADMIN")
.antMatchers("/blog/*/edit","/blog/*/comment","/blog/add").authenticated()
.antMatchers("/","/registration","/login","/blog/*").permitAll()
.and().formLogin()
.loginPage("/login")
.and().exceptionHandling()
.accessDeniedPage("/access-denied");
http.csrf().disable();
}
}
How can i change this page with my /access-denied? Logs:
2020-07-13 11:26:58.094 DEBUG 42636 --- [nio-8080-exec-6] o.s.web.servlet.DispatcherServlet : GET "/blog/28", parameters={}
2020-07-13 11:26:58.096 DEBUG 42636 --- [nio-8080-exec-6] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to com.example.springExample.controllers.BlogController#blogDetails(long, Model)
2020-07-13 11:26:58.364 DEBUG 42636 --- [nio-8080-exec-6] o.s.w.s.v.ContentNegotiatingViewResolver : Selected 'text/html' given [text/html, application/xhtml+xml, image/webp, image/apng, application/xml;q=0.9, application/signed-exchange;v=b3;q=0.9, *//*;q=0.8]
2020-07-13 11:26:58.402 DEBUG 42636 --- [nio-8080-exec-6] o.s.web.servlet.DispatcherServlet : Completed 200 OK
2020-07-13 11:27:04.814 DEBUG 42636 --- [nio-8080-exec-9] o.s.web.servlet.DispatcherServlet : "FORWARD" dispatch for POST "/access-denied", parameters={}
2020-07-13 11:27:04.816 WARN 42636 --- [nio-8080-exec-9] .w.s.m.s.DefaultHandlerExceptionResolver : Resolved [org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'POST' not supported]
2020-07-13 11:27:04.817 DEBUG 42636 --- [nio-8080-exec-9] o.s.web.servlet.DispatcherServlet : Exiting from "FORWARD" dispatch, status 405
2020-07-13 11:27:04.818 DEBUG 42636 --- [nio-8080-exec-9] o.s.web.servlet.DispatcherServlet : "ERROR" dispatch for POST "/error", parameters={}
2020-07-13 11:27:04.818 DEBUG 42636 --- [nio-8080-exec-9] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped to org.springframework.boot.autoconfigure.web.servlet.error.BasicErrorController#errorHtml(HttpServletRequest, HttpServletResponse)
2020-07-13 11:27:04.831 DEBUG 42636 --- [nio-8080-exec-9] o.s.w.s.v.ContentNegotiatingViewResolver : Selected 'text/html' given [text/html, text/html;q=0.8]
2020-07-13 11:27:04.838 DEBUG 42636 --- [nio-8080-exec-9] o.s.web.servlet.DispatcherServlet : Exiting from "ERROR" dispatch, status 405
Upvotes: 2
Views: 1161
Answers (1)
Reputation: 71
I located the problem - when user tries to act, he will send post method from form. When application catches an access-denied error, it will try to get /access-denied page, but due to action type, it will be post request. Solution is to add PostMapping function of /access-denied page to the current controller:
@GetMapping("/access-denied")
public String blockAccess(Model model) {
return "access-denied";
}
@PostMapping("/access-denied")
public String actionAccess(Model model) {
return "access-denied";
}
Upvotes: 4
Related Questions
- Spring Security - 405 Request Method 'POST' Not Supported
- 405 - Request method 'POST' not supported Spring MVC + Spring Security
- HTTP Status 405 - Request method 'POST' not supported in Spring MVC with Spring Security
- Spring-mvc with spring security getting HTTP Status 405 - Request method 'POST' not supported
- Spring Security Request method 'POST' not supported
- spring-security:HTTP Status 405 - Request method 'POST' not supported
- Request method 'POST' not supported - SPRING
- Spring 405 error for POST method
- Why Spring security prevents POST?
- HTTP Status 405 - Request method 'POST' not supported Spring MVC