403 ajax GET请求Spring的禁止错误 [英] 403 Forbidden Error with ajax GET request Spring
问题描述
每次我从数据库中尝试 GET 用户的信息时,我得到 403 forbidden -error。关于我下面的代码,每次我按 Ajax测试按钮尝试请求时,它都无法运行并给我一个警报,但在控制台中也给了我一个 403禁 -error。我不确定它是否与Spring安全性有关?
I am getting a 403 forbidden-error every time I try GET a user's information from the database. Relating to my code below, every time I try request by pressing the Ajax Test button, It fails to run and gives me an alert, but also in the console gives me a 403 Forbidden-error. I am not sure whether it has something to do with Spring security?
用户JSP页面:
<table>
<tr>
<td>User Id</td>
<td>Full Name</td>
<td>Username</td>
<td>Email</td>
<td>Date of Birth</td>
<td>User Authority</td>
<td>Update </td>
<td>Delete</td>
</tr>
<c:forEach var="user" items="${users}">
<tr>
<td><c:out value="${user.id}" /></td>
<td><c:out value="${user.name}"/></td>
<td><c:out value="${user.username}"/></td>
<td><c:out value="${user.email}"/></td>
<td><c:out value="${user.dob}"/></td>
<td><c:out value="${user.authority}"/></td>
<td>
<a id="update" href="<c:url value="/viewUser"><c:param name="id" value="${user.id}"/></c:url>"><button>Update</button></a>
</td>
<td>
<a id="delete" href="<c:url value="/deleteUser"><c:param name="id" value="${user.id}"/></c:url>"><button>Delete</button></a>
</td>
<td>
<button class="loadUser" name="id" value="${user.id}">Ajax test</button>
</td>
</tr>
</c:forEach>
</table>
<div id="personIdResponse"> </div>
<script type="text/javascript">
$(document).ready(function(){
$(".loadUser").click(function(e) {
e.preventDefault();
var personId = +$(this).val();
$.get('${pageContext.request.contextPath}/SDP/ajaxTest/' + personId, function(user) {
$('#personIdResponse').text(user.name + ', = username ' + user.username);
})
.fail(function(user){
alert('Could not load user');
});
});
});
</script>
用户控制器类:
@RequestMapping("/viewUser")
public String updateUser(Model model, @RequestParam(value = "id", required = false) Integer id) {
User user = usersService.getUser(id);
model.addAttribute("user", user);
return "settings";
}
@RequestMapping("/ajaxTest")
@ResponseBody
public User ajaxTest(@RequestParam(value = "id", required = false) Integer id) {
User user = usersService.getUser(id);
return user;
}
推荐答案
这通常是由Spring造成的默认CSRF保护。
It is usually caused by Spring default CSRF protection.
如果您使用JS代码中的DELETE HTTP请求,则还需要发送CSRF保护标头。
If you use for example DELETE HTTP request from your JS code, it is required to send also CSRF protection headers.
没有必要禁用CSRF保护!如果没有必要,请不要这样做。
It is not necessary to disable CSRF protection! Please, do not do that if not necessary.
您可以通过以下方式轻松添加CSRF AJAX / REST保护:
1。向每个页面添加元标题(使用@ layout.html或其他内容):
1.Adding meta headers to every page (use @layout.html or something):
<head>
<meta name="_csrf" th:content="${_csrf.token}"/>
<meta name="_csrf_header" th:content="${_csrf.headerName}"/>
</head>
2.自定义ajax请求,以便为每个请求发送这些标头:
2.Customizing your ajax requests to sent these headers for every request:
$(function () {
var token = $("meta[name='_csrf']").attr("content");
var header = $("meta[name='_csrf_header']").attr("content");
$(document).ajaxSend(function(e, xhr, options) {
xhr.setRequestHeader(header, token);
});
});
请注意,我使用百里香,所以我使用th:content而不是content属性。
Notice that i use thymeleaf, so i use th:content instead of content attribute.
这篇关于403 ajax GET请求Spring的禁止错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
