|
|
@@ -70,6 +70,7 @@ From a Spring Security perspective, the first thing you should do is follow the
|
|
|
.. <<faq-session-listener-missing>>
|
|
|
.. <<faq-unwanted-session-creation>>
|
|
|
. Miscellaneous
|
|
|
+.. <<403-csrf>>
|
|
|
.. <<faq-no-security-on-forward>>
|
|
|
.. <<faq-method-security-in-web-context>>
|
|
|
.. <<faq-no-filters-no-context>>
|
|
|
@@ -206,6 +207,11 @@ This usually means that the user's application is creating a session somewhere,
|
|
|
|
|
|
If you are having trouble working out where a session is being created, you can add some debugging code to track down the location(s). One way to do this would be to add a `javax.servlet.http.HttpSessionListener` to your application, which calls `Thread.dumpStack()` in the `sessionCreated` method.
|
|
|
|
|
|
+[[403-csrf]]
|
|
|
+=== I get a 403 Forbidden when performing a POST
|
|
|
+
|
|
|
+If an HTTP 403 Forbidden is returned for HTTP POST, but works for HTTP GET then the issue is most likely related to http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#csrf[CSRF]. Either provide the CSRF Token or disable CSRF protection (not recommended).
|
|
|
+
|
|
|
[[faq-no-security-on-forward]]
|
|
|
=== I'm forwarding a request to another URL using the RequestDispatcher, but my security constraints aren't being applied.
|
|
|
|
Rob Winch