DELETE operation returns ERROR: There was an unexpected error (type=Forbidden, status=403). Forbidden
Question
I am working on a spring-boot project which includes thymeleaf , spring-security . It works fine when I perform - showing products-list, showing products-details, adding new product, updating existing product.
But when I perform - deleting an product, it gives the following ERROR:
Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Thu Jul 18 16:59:16 BDT 2019
There was an unexpected error (type=Forbidden, status=403).
Forbidden
Here is my code:
product_list.html
<!DOCTYPE html>
<html xmlns:th="http://www.thymeleaf.org">
<head>
<title>Product List</title>
<link rel="stylesheet" th:href="@{/css/bootstrap.css}">
</head>
<body>
<div class="container">
<h1>Product List</h1>
<hr>
<a class="btn btn-success" th:href="@{/products/add}">Create New Product</a>
<hr>
<table class="table">
<thead>
<tr>
<th>Product ID</th>
<th>Name</th>
<th>Brand</th>
<th>Made In</th>
<th>Price</th>
<th>Actions</th>
</tr>
</thead>
<tbody>
<tr th:each="theProduct:${theProducts}">
<td th:text="${theProduct.id}">Product ID</td>
<td th:text="${theProduct.name}">Name</td>
<td th:text="${theProduct.brand}">Brand</td>
<td th:text="${theProduct.madein}">Made In</td>
<td th:text="${theProduct.price}">Price</td>
<td>
<a class="btn btn-info" th:href="@{'/products/show/' + ${theProduct.id}}">View</a>
<a class="btn btn-warning" th:href="@{'/products/edit/' + ${theProduct.id}}">Edit</a>
<a class="btn btn-danger" th:data-the-product-id="${theProduct.id}" data-toggle="modal" data-target="#deleteConfirmationModal">Delete</a>
<div class="modal fade" id="deleteConfirmationModal" tabindex="-1" role="dialog" aria-labelledby="deleteConfirmationModalLabel" aria-hidden="true">
<div class="modal-dialog" role="document">
<div class="modal-content">
<div class="modal-header">
<h5 class="modal-title" id="exampleModalLabel">Delete Confirmation</h5>
<button type="button" class="close" data-dismiss="modal" aria-label="Close">
<span aria-hidden="true">×</span>
</button>
</div>
<div class="modal-body">
Are you sure you want to DELETE the Product.
<br>
<form id="deleteForm" action="#" th:method="DELETE">
<button type="submit" class="btn btn-danger">Delete Employee</button>
</form>
</div>
<div class="modal-footer">
<button type="button" class="btn btn-secondary" data-dismiss="modal">Close</button>
</div>
</div>
</div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
<script th:src="@{/js/jquery-3.3.1.js}"></script>
<script th:src="@{/js/popper.js}"></script>
<script th:src="@{/js/bootstrap.js}"></script>
<script>
$('#deleteConfirmationModal').on('show.bs.modal', function (event) {
var anchorLink = $(event.relatedTarget)
var theProductId = anchorLink.data('theProductId')
var modal = $(this)
$("#deleteForm").attr("action", "/products/delete/" + theProductId)
})
</script>
</body>
</html>
ProductController.java
package com.example.demo.controller;
import java.util.List;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.DeleteMapping;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ModelAttribute;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.PutMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import com.example.demo.dao.ProductRepository;
import com.example.demo.entity.Product;
@Controller
@RequestMapping("/products")
public class ProductController {
@Autowired
private ProductRepository productRepository;
@GetMapping("/index")
public String index(Model theModel) {
List<Product> theProducts = productRepository.findAll();
theModel.addAttribute("theProducts", theProducts);
return "product/product_list";
}
@GetMapping("/add")
public String add(Model theModel) {
Product theProduct = new Product();
theModel.addAttribute("theProduct", theProduct);
return "product/product_add_form";
}
@GetMapping("/show/{productId}")
public String show(@PathVariable int productId, Model theModel) {
Product theProduct = productRepository.findById(productId).get();
if(theProduct == null) {
return null;
}
theModel.addAttribute("theProduct", theProduct);
return "product/product_detail";
}
@PostMapping("/create")
public String create(@ModelAttribute("theProduct") Product theProduct) {
theProduct.setId(0);
productRepository.save(theProduct);
return "redirect:/products/index";
}
@GetMapping("/edit/{productId}")
public String edit(@PathVariable(name="productId") int productId, Model theModel) {
Product theProduct = productRepository.findById(productId).get();
theModel.addAttribute("theProduct", theProduct);
return "product/product_edit_form";
}
@PutMapping("/update")
public String update(@ModelAttribute("theProduct") Product theProduct) {
productRepository.save(theProduct);
return "redirect:/products/index";
}
@DeleteMapping("/delete/{productId}")
public String delete(@PathVariable int productId) {
Product tempProduct = productRepository.findById(productId).get();
if(tempProduct == null) {
return null;
}
productRepository.deleteById(productId);
return "redirect:/products/index";
}
}
LoginController.java
package com.example.demo.controller;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
public class LoginController {
@RequestMapping("/login")
public String login() {
return "login";
}
@GetMapping("/")
public String home(Model theModel) {
return "redirect:/products/index";
}
}
SecurityConfig.java
package com.example.demo.config;
import javax.sql.DataSource;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.User.UserBuilder;
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private DataSource dataSource;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
UserBuilder users = User.withDefaultPasswordEncoder();
auth.inMemoryAuthentication().withUser(users.username("admin").password("Admin.123").roles("EMPLOYEE", "ADMIN"));
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/css/**")
.permitAll()
.antMatchers("/js/**")
.permitAll()
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/authenticateTheUser")
.permitAll()
.and()
.logout()
.permitAll();
}
}
3 answers
solution1
2 2019-07-18 11:43:13
Try disabling csrf token in your configuration:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/css/**")
.permitAll()
.antMatchers("/js/**")
.permitAll()
.anyRequest()
.authenticated()
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/authenticateTheUser")
.permitAll()
.and()
.logout()
.permitAll()
.and().csrf().disable();
}
solution2
1 ACCPTED 2019-07-18 16:05:12
fortunately you add "modal" inside thymeleaf each loop, so edit your html from according my code ....
<form id="deleteForm" th:action="${'/products/delete/' + theProductId}" th:method="DELETE">
<button type="submit" class="btn btn-danger">Delete Employee</button>
</form>
this is tested code ...working fine ..
you just miss "th:action" for that it dose not work as thymeleaf form. so thymeleaf dose not provide hidden "_csrf" field;
solution3
0 2019-07-18 11:44:32
我想问题是你错过了:href for delete按钮。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
There was an unexpected error (type=Forbidden, status=403).Forbiden
Spring-boot with spring secutiry error: There was an unexpected error (type=Forbidden, status=403)
Unexpected error (type=Forbidden, status=403) using csrf with Spring Security v3.0.0 and Thymeleaf
Custom formLogin() in Spring security returns a (type=Forbidden, status=403)
GlassFish Forbidden 403 error page
Java SSL error 403 Forbidden
Error 403--Forbidden error on weblogic
403 Status (Forbidden) when PUT and DELETE using AJAX
403 forbidden error with spring boot API call?
Error posting files with RequestBuilder, 403 Forbidden cloudflare
Related Tags