Search code examples
springspring-bootspring-securityhttp-postthymeleaf

Recieving a object posted by HTTP.POST

Hello I'm trying to make a email confirmation api for my spring app user needs to type his/her name, notes, company/job, email. After receiving this object I want to send a confirmation link to email.

This is the HTML code:

<form method="POST" th:object="${Signature}">
   <label>Name : </label>
   <input id="inputName" type="text" th:field="*{name}">
   <label>Note : </label>
   <input id="inputNote" type="text" th:field="*{note}">
   <br>
   <label>Company : </label>
   <input id="inputCompany" type="text" th:field="*{company}">
   <label>Contact Info : </label>
   <input id="inputContact" type="email" th:field="*{email}" placeholder="This info will not be shared">
   <button>Submit</button>
   <br>
</form>

This is Controller

@Controller
@RequestMapping("/")
public class RootController
{
   @GetMapping
   public String root(Model model)
   {
      model.addAttribute("Signature", new Signature());
      return "Public/Home";
   }
   
   @PostMapping
   public String signPosted(Signature s)
   {
      System.out.println("Post Received");
      
      return "redirect:/thanks";
   }
}

note:even though application is on root("/") users have to go to /#contact when they are posting

this is the object class

import lombok.Data;

import javax.validation.constraints.NotBlank;

@Data
public class Signature
{
   //@NotBlank(message="Name is required")
   private String name;
   
   private String note;
   
   //@NotBlank(message="Name is required")
   private String email;
   
   //@NotBlank(message="Name is required")
   private String company;
   
   public Signature(){}
   
   public Signature(String name,
                    String note,
                    String email,
                    String company)
   {
      this.name = name;
      this.note = note;
      this.email = email;
      this.company = company;
   }
}

when i click the submit button it takes you to error page and the message is

There was an unexpected error (type=Forbidden, status=403).

my security configuration is

http
    .authorizeRequests()
    .antMatchers("/admin/**")
    .authenticated()
    .antMatchers("/**")
    .permitAll()
    .anyRequest()
    .authenticated()
    .and()
    .httpBasic();
Solution

  • It's because you haven't disable CSRF protection (enabled for every HTTP verbs except GET) in your Spring Security configuration and at the same time you haven't sent a CSRF token in your HTML form.

    Try this Spring Security configuration if you want to disable CSRF protection :

    http
    .csrf().disable()
    .authorizeRequests()
    .antMatchers("/admin/**")
    .authenticated()
    .antMatchers("/**")
    .permitAll()
    .anyRequest()
    .authenticated()
    .and()
    .httpBasic();

    Try this if you want to keep CSRF protection and add a CSRF token in your HTML form :

    <input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}"/>