Spring Security Access denied 403 after post

I noticed you're using csrf protection, which by default protects any HTTP verb that modifies a resource (e.g. PUT, POST, DELETE,...). If you're using Spring's form tag, a csrf token should be automatically included as a hidden input in your form. You should check the source in your browser to verify the csrf token is there, otherwise you'll need something like this:

<input type="hidden"
    name="${_csrf.parameterName}"
    value="${_csrf.token}"/> 

You can read more about csrf protection/configuration in Spring reference.