Jquery POST在spring mvc中给出403禁止错误
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/25159772/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Jquery POST giving 403 forbidden error in spring mvc
提问by user3729782
I want to make a ajax call using $.POST. But I am getting 403 error. But GET works perfectly fine. My code is:
我想使用 $.POST 进行 ajax 调用。但我收到 403 错误。但是 GET 工作得很好。我的代码是:
var url = "/xyz/abc/subscribe?name="+name;
$.post(url, function(data){
alert(data);
});
The controller code is :
控制器代码是:
@RequestMapping(value = "/xyz/abc/subscribe", method = RequestMethod.POST)
public @ResponseBody
String subscribe(@RequestParam("name") String name)
throws Exception {
String message = "TESTING";
return message;
}
But I'm getting a 403 error.
但是我收到了 403 错误。
回答by Emiliano Schiano
Using Spring Security with Java configuration, CSRF protection is enabled by default. In this context, if you make an Ajax request to a REST endpoint using POST method, you will get a csrf token missing error.
使用带有 Java 配置的 Spring Security,默认启用 CSRF 保护。在这种情况下,如果您使用 POST 方法向 REST 端点发出 Ajax 请求,您将收到 csrf 令牌丢失错误。
To solve this, there are two options:
为了解决这个问题,有两种选择:
Option 1:Disable csrf
选项 1:禁用 csrf
@Override
protected void configure (HttpSecurity http) throws Exception {
http.csrf().disable();
}
Option 2:Add csrf to the ajax request. See here
方案二:在ajax请求中加入csrf。看这里
回答by izilotti
You might want to add the csrf token to the request.
您可能希望将 csrf 令牌添加到请求中。
Obtaining the token using JSTL should be pretty straightforward. If you are using Thymeleaf, here is how to obtain it.
使用 JSTL 获取令牌应该非常简单。如果您使用的是 Thymeleaf,这里是获取它的方法。
<script th:inline="javascript">
/*<![CDATA[*/
var _csrf_token = /*[[${_csrf.token}]]*/ '';
var _csrf_param_name = /*[[${_csrf.parameterName}]]*/ '';
/*]]>*/
</script>
Then, add it to your request:
然后,将其添加到您的请求中:
var requestData = {
'paramA': paramA,
'paramB': paramB,
};
requestData[_csrf_param_name] = _csrf_token; // Adds the token
$.ajax({
type: 'POST',
url: '...your url...',
data: requestData,
...
});
If everything goes well, the request should include something like _csrf:1556bced-b323-4a23-ba1d-5d15428d29fa (the csrf token) and you will get a 200 instead of a 403.
如果一切顺利,请求应包含类似 _csrf:1556bced-b323-4a23-ba1d-5d15428d29fa(csrf 令牌)的内容,您将得到 200 而不是 403。
回答by VK321
This is an example of without disabling CSRF.
这是一个没有禁用 CSRF 的例子。
Step 1:In your header add CSRF like this
第 1 步:在您的标头中添加 CSRF,如下所示
<meta th:name="${_csrf.parameterName}" th:content="${_csrf.token}"/>
Step 2:Make call with token
第 2 步:使用令牌拨打电话
$( "#create_something" ).click(function() {
var token = $("meta[name='_csrf']").attr("content");
$.ajax({
url : '/xxxxxxxxxxxx', // url to make request
headers: {"X-CSRF-TOKEN": token}, //send CSRF token in header
type : 'POST',
success : function(result) {
alert(result);
}
})
});
回答by BenoitJ
If you look to CSRFilter source code, you will see that the filter is waiting for csrfToken on header or query parameter. In my configuration, the key "_csrf" was the right key in query parameter. So, I added this parameter in my post call.
如果您查看 CSRFilter 源代码,您将看到过滤器正在等待标头或查询参数上的 csrfToken。在我的配置中,键“_csrf”是查询参数中的正确键。所以,我在我的帖子调用中添加了这个参数。
var csrfCookie = getCsrfCookie();
alert(csrfCookie);
function getCsrfCookie()
{
var ret = "";
var tab = document.cookie.split(";");
if(tab.length>0){
var tab1 = tab[0].split("=");
if(tab1.length>1)
{
ret =tab1[1];
}
}
return ret;
}
$http.post('/testPost?_csrf='+csrfCookie).success(function (response) {
alert("post : "+response);
return response;
});With this, it works for me.
有了这个,它对我有用。
回答by Patrick Grimard
You're trying to make a POST request to a REST endpoint you're not authorized to. Either your session has become invalid, or the user you're logging in as doesn't have authority like @geoand already pointed out.
您正在尝试向您无权访问的 REST 端点发出 POST 请求。您的会话已失效,或者您登录的用户没有@geoand 已经指出的权限。
