Menu
I've tried almost everything in the others posts about it, nothing is related with my problem.
If I try to recover my URL via GET (ex: path/users/edit/1 ) everything works fine and I get redirected to the user edit page, but If I try to access this page via POST, the spring security deny my access to the page.
Both of the methods are mapped in my controller class.
@RequestMapping(value="/users/edit/{id}", method={RequestMethod.POST,RequestMethod.GET})
public ModelAndView login(ModelAndView model, @PathVariable("id") int id ) {
model.addObject("user", this.userService.getUserById(id));
model.setViewName("/users/add"); //add.jsp
return model;
}
My form which I use post
<f:form method="post" action="/users/edit/${user.id}">
<button type="submit">Edit</button>
</f:form>
Spring security.xml
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<!-- enable use-expressions -->
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/secure**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<intercept-url pattern="/secure/users**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')" />
<!-- access denied page -->
<access-denied-handler error-page="/denied" />
<form-login
login-page="/home"
default-target-url="/secure"
authentication-failure-url="/home?error"
username-parameter="inputEmail"
password-parameter="inputPassword" />
<logout logout-success-url="/home?logout" />
<!-- enable csrf protection -->
<csrf/>
</http>
<!-- Select users and user_roles from database -->
<authentication-manager>
<authentication-provider>
<password-encoder hash="md5" />
<jdbc-user-service data-source-ref="dataSource"
users-by-username-query=
"SELECT login, senha, ativo
FROM usuarios
WHERE login = ?"
authorities-by-username-query=
"SELECT u.login, r.role
FROM usuarios_roles r, usuarios u
WHERE u.id = r.usuario_id
AND u.login = ?" />
</authentication-provider>
</authentication-manager>
488
Spring security exceptions can be directly handled by adding custom filters and constructing the response body. To handle these exceptions at a global level via @ExceptionHandler and @ControllerAdvice, we need a custom implementation of AuthenticationEntryPoint.
The simple answer is; “You need to be given the correct access”. Without being given the correct access you'd technically be hacking the server, as it is specifically set up to restrict said access.
You can put entry for attribute access-denied-handler in spring-security.xml as below. + ", You can not access this page!"); "You can not access this page!"); Please refer to Spring security database authentication for spring-security.xml and other files. You can also use AccessDeniedHandler to handle 403 access denied page.
Spring Security Custom 403 Access Denied Page In Spring security, when an unauthorized user will try to access the secure/ protected page, spring security will throw an access denied exception. There is a default 403 access denied page available with spring security, or if we are using spring boot, it will show the infamous whitelabel error page.
Custom JSP Whenever a user attempts to access a page that is restricted to roles they do not have, the application will return a status code of 403, which means Access Denied. In order to replace the Spring 403 status response page with a custom one, let's first create a JSP file called accessDenied.jsp:
Custom JSP Whenever a user attempts to access a page that is restricted to roles they do not have, the application will return a status code of 403, which means Access Denied.
I noticed you're using csrf protection, which by default protects any HTTP verb that modifies a resource (e.g. PUT, POST, DELETE,...). If you're using Spring's form tag, a csrf token should be automatically included as a hidden input in your form. You should check the source in your browser to verify the csrf token is there, otherwise you'll need something like this:
<input type="hidden"
name="${_csrf.parameterName}"
value="${_csrf.token}"/>
You can read more about csrf protection/configuration in Spring reference.
118
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
