Spring Security - All JQuery Ajax post requests return 404

Finally after three agonizing days, I found the problem and boy was it stupid.

The problem was that I have enabled csrf protection in spring security. And that was causing my post requests to be forbidden which triggers the access-denied-handler error page, since I have not mapped my access-denied-handlerto the "/403" error page as shown below, my http 403/401 was being masked by the http 404

<access-denied-handler error-page="/403"/>

So in Short

  1. Map your access-denied-handler error page to a valid url
  2. If you use csrf protection, then always make sure that you pass them in the ajax post request as such

$.ajax({method :'POST', url : '/ajax',data : {"${_csrf.parameterName}" : "${_csrf.token}"}});


There is one more situation that must be consulted specially when you are implementing spring security 4, one needs form button (not "a href").

https://spring.io/blog/2013/08/21/spring-security-3-2-0-rc1-highlights-csrf-protection/#ajax-requests.

A> form post request sent: input type hidden in both login/logout buttons

<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>

B> For AJAX post request add following in your JSP page after taglib declarations.

<meta name="_csrf" content="${_csrf.token}" />
<meta name="_csrf_header" content="${_csrf.headerName}" />

and some where above closing body tag in jsp any where as it "on ready"

<script type="text/javascript">
$(function() {
    var token = $("meta[name='_csrf']").attr("content");
    var header = $("meta[name='_csrf_header']").attr("content");
    $(document).ajaxSend(function(e, xhr, options) {
        xhr.setRequestHeader(header, token);
    });
});
 </script>

It should work! if you have CORS issues still remaining, see article below. http://www.html5rocks.com/en/tutorials/cors/


Alternative solution using Spring Boot 2.2.1 with Spring MVC, Spring Security 5 and Thymeleaf 3.0.11

I am so happy that I finally found a solution to this problem, that I would also like to share it here:

Problem:

In my case, it was a $.ajax POST request to a valid URL returning 404 error status (not found).

@Mushtaq Jameel has explained that the original cause of the problem is csrf, which is enabled by default as of Spring Security 4 (source).

Solution:

I have not tested what @Mushtaq Jameel proposed, but this elegant quick fix worked for me:

AJAX code:

  $.ajax({
                type: "POST",
                url: "/",
                data: $('.cd-signin-modal__form.sign-up').serialize(),  // <- FIX    
                success: // some code
                error: // some code
            });

        }

In other words, the solution is calling the .serialize() method on the HTML form itself.

What happens then, is that a _csfr token is automatically added in the POST request as an additional form parameter:

enter image description here

This is again due to csrf being enabled by default in the newer versions of Spring Security (here it is mentioned that this hidden form parameter is added automatically).

My Spring MVC controller then accepts the form like this:

 @PostMapping("/")
    public String createUser(@Valid @ModelAttribute User user, @Valid @ModelAttribute UserDetails userDetails, BindingResult errors) {
        if (errors.hasErrors()) {
            // handle errors
        }
        //  persist objects in database
        return "index";
    }