Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
P
P
parkito2016-09-29 13:43:31
Java
parkito, 2016-09-29 13:43:31

Why doesn't spring security let some requests through?

Hello. Help, please, to solve a problem.
Set up Spring security

<http realm="JavaStudy example" use-expressions="false"
          authentication-manager-ref="dao-auth"
          access-decision-manager-ref="accessDecisionManager">
        <intercept-url pattern="/admin**" access="Manager"/>
        <intercept-url pattern="/user**" access="userAvailable"/>
        <!--<intercept-url pattern="/admin/admin**" access="Manager"/>-->
        <!--<intercept-url pattern="/user/user**" access="userAvailable"/>-->
        <form-login login-page="/login" authentication-failure-url="/login-denied"
                    username-parameter="username" password-parameter="password"
                    default-target-url="/main"/>
        <logout invalidate-session="true" logout-success-url="/"
                logout-url="/"/>
        <access-denied-handler error-page="/denied"/>
        <session-management invalid-session-url="/">
            <concurrency-control max-sessions="1"
                                 expired-url="/login"/>
        </session-management>
        <!--remember me-->
        <remember-me token-validity-seconds="1209600"
                     remember-me-parameter="remember-me"
                     user-service-ref="userDetailsService"/>
    </http>

There are two servlets
@RequestMapping(value = "/userNumberOperations", method = RequestMethod.GET)
    public String userNumberOperations(HttpServletRequest request, Locale locale, Model model) {
        User user = (User) request.getSession().getAttribute("currentUser");
        model.addAttribute("contracts", contractService.getAllContractsForUser(user.getUserId()));
        return "user/userNumberOperations";
    }

And exactly the same, but with a different request method
@RequestMapping(value = "/userNumberOperations", method = RequestMethod.POST)
    public String userNumberOperations(HttpServletRequest request, Locale locale, Model model) {
        User user = (User) request.getSession().getAttribute("currentUser");
        model.addAttribute("contracts", contractService.getAllContractsForUser(user.getUserId()));
        return "user/userNumberOperations";
    }

Spring starts up on the first servlet. But when from the page via ajax
var xhr = new XMLHttpRequest();
                                xhr.open("POST", "userNumberOperations, false);
                                xhr.send();

I try to call the second one, security rejects the request and sends me to the /denied page.
Why does he do it?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
A
aol-nnov, 2016-09-29
@aol-nnov

and cookies in XMLHttpRequest or other login-passwords will Pushkin invest?

Similar questions
X
XciloG2015-06-30 11:26:47
Bad Request error (#400): Unable to verify your data submission. when uploading files using the bootstrap-fileinput extension? 2Reply
A
Arthur2019-11-17 03:55:20
Why does the bookmark icon still show as "Bookmark" after reloading the page? 3Reply
E
E6APB2017-08-14 00:00:38
Isn't this considered a violation of the Google Maps API rules? 5Reply
M
Maks Burkov2017-03-23 01:03:31
How often is JMS used in Enterprise development? 1Reply
N
Nikolai Gerasimov2015-03-18 11:03:17
How to make a GET request in java/android to get a list of messages? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question