java - 403 Forbidden Error with ajax GET request Spring

Question

I am getting a 403 forbidden-error every time I try GET a user's information from the database. Relating to my code below, every time I try request by pressing the Ajax Test button, It fails to run and gives me an alert, but also in the console gives me a 403 Forbidden-error. I am not sure whether it has something to do with Spring security?

Users JSP page:

<table>
    <tr>
        <td>User Id</td>
        <td>Full Name</td>
        <td>Username</td>
        <td>Email</td>
        <td>Date of Birth</td>
        <td>User Authority</td>
        <td>Update </td>
        <td>Delete</td>
    </tr>
    <c:forEach var="user" items="${users}">
        <tr>
            <td><c:out value="${user.id}" /></td>
            <td><c:out value="${user.name}"/></td>
            <td><c:out value="${user.username}"/></td>
            <td><c:out value="${user.email}"/></td>
            <td><c:out value="${user.dob}"/></td>
            <td><c:out value="${user.authority}"/></td>
            <td>
                <a id="update" href="<c:url value="/viewUser"><c:param name="id" value="${user.id}"/></c:url>"><button>Update</button></a>
            </td>
            <td>
                <a id="delete" href="<c:url value="/deleteUser"><c:param name="id" value="${user.id}"/></c:url>"><button>Delete</button></a>
            </td>
            <td>
                <button class="loadUser" name="id" value="${user.id}">Ajax test</button>
            </td>
        </tr>
    </c:forEach>
</table>
 <div id="personIdResponse"> </div>
<script type="text/javascript">
    $(document).ready(function(){
        $(".loadUser").click(function(e) {
            e.preventDefault();
            var personId = +$(this).val();
            $.get('${pageContext.request.contextPath}/SDP/ajaxTest/' + personId, function(user) {
                  $('#personIdResponse').text(user.name + ', = username ' + user.username);
                })
            .fail(function(user){
                alert('Could not load user');
            });
        });
    });
</script>

User Controller class:

    @RequestMapping("/viewUser")
public String updateUser(Model model, @RequestParam(value = "id", required = false) Integer id) {

    User user = usersService.getUser(id);

    model.addAttribute("user", user);

    return "settings";
}

@RequestMapping("/ajaxTest")
@ResponseBody
public User ajaxTest(@RequestParam(value = "id", required = false) Integer id) {

    User user = usersService.getUser(id); 
    return user;
}

Answer 1

It is usually caused by Spring default CSRF protection.

If you use for example DELETE HTTP request from your JS code, it is required to send also CSRF protection headers.

It is not necessary to disable CSRF protection! Please, do not do that if not necessary.

You can easily add CSRF AJAX/REST protection by:

1.Adding meta headers to every page (use @layout.html or something):

<head>
  <meta name="_csrf" th:content="${_csrf.token}"/>
  <meta name="_csrf_header" th:content="${_csrf.headerName}"/>
</head>

2.Customizing your ajax requests to sent these headers for every request:

$(function () {
  var token = $("meta[name='_csrf']").attr("content");
  var header = $("meta[name='_csrf_header']").attr("content");
  $(document).ajaxSend(function(e, xhr, options) {
    xhr.setRequestHeader(header, token);
  });
});

Notice that i use thymeleaf, so i use th:content instead of content attribute.