Spring Security Access denied 403 after post
I noticed you're using csrf protection, which by default protects any HTTP verb that modifies a resource (e.g. PUT, POST, DELETE,...). If you're using Spring's form tag, a csrf token should be automatically included as a hidden input in your form. You should check the source in your browser to verify the csrf token is there, otherwise you'll need something like this:
<input type="hidden"
name="${_csrf.parameterName}"
value="${_csrf.token}"/>
You can read more about csrf protection/configuration in Spring reference.