Mushtaq Jameel Mushtaq Jameel - 6 months ago 182
Javascript Question

Spring Security - All JQuery Ajax post requests return 404

All my

$.ajax
, both
POST
and
GET
were working fine, but as soon as I integrated
Spring security 3.2.6
into my project the
POST
ajax requests stopped working without loggin any issues.

spring-security.xml



<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">

<!--Permit all Web resources to bypass proxy-->
<http pattern="/js/**" security="none"/>
<http pattern="/css/**" security="none"/>
<http pattern="/fonts/**" security="none"/>
<http pattern="/images/**" security="none"/>

<http auto-config="true" use-expressions="true" >

<intercept-url pattern="/login" access="isAnonymous()"/>

<intercept-url pattern="/workflow**" access="hasRole('ROLE_WORKFLOW_ADMIN')"/>
<intercept-url pattern="/**" access="hasAnyRole('ROLE_ADMIN','ROLE_WORKFLOW_ADMIN','ROLE_DMS_ADMIN')"/>

<access-denied-handler error-page="/403"/>

<form-login
login-page="/login"
default-target-url="/dashboard"
authentication-failure-url="/login?error"
username-parameter="username"
password-parameter="password"/>

<logout invalidate-session="true" logout-success-url="/login?logout"/>

<csrf/>
</http>

<!-- Select users and user_roles from database -->
<authentication-manager>
<authentication-provider ref="daoAuthenticationProvider"/>
</authentication-manager>

<beans:bean id="daoAuthenticationProvider"
class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
<beans:property name="userDetailsService" ref="authService"/>
</beans:bean>


</beans:beans>


Web.xml



<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">

<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

<servlet>
<servlet-name>mvc-dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
<servlet-name>mvc-dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>

<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
/WEB-INF/mvc-dispatcher-servlet.xml
/WEB-INF/spring-security.xml
</param-value>
</context-param>

<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<error-page>
<exception-type>java.lang.Throwable</exception-type>
<location>/error</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/error</location>
</error-page>

</web-app>


Edit




The URL I am trying to access is


http://localhost:8080/ADMIN/workflow/sample-ajax


Could it be something to with spring security ?

Answer

Finally after three agonizing days, I found the problem and boy was it stupid.

The problem was that I have enabled csrf protection in spring security. And that was causing my post requests to be forbidden which triggers the access-denied-handler error page, since I have not mapped my access-denied-handlerto the "/403" error page as shown below, my http 403/401 was being masked by the http 404

<access-denied-handler error-page="/403"/>

So in Short

  1. Map your access-denied-handler error page to a valid url
  2. If you use csrf protection, then always make sure that you pass them in the ajax post request as such

$.ajax({method :'POST', url : '/ajax',data : {"${_csrf.parameterName}" : "${_csrf.token}"}});

Comments