Spring Mvc Controller - problem with delete

Question

i working in a j2ee project (pojo layer, Dao layer(hibernate), Service Layer(spring), View(spring mvc)) i have a table of articles after each row i want to add a link to remove it.

this is my view

<c:if test="${!empty articles}">
<table>
    <tr>
        <th>Article ID</th>
        <th>Article Name</th>
        <th>Article Desc</th>
        <th>Added Date</th>
        <th>operation</th>
    </tr>

    <c:forEach items="${articles}" var="article">
        <tr>
            <td><c:out value="${article.articleId}"/></td>
            <td><c:out value="${article.articleName}"/></td>
            <td><c:out value="${article.articleDesc}"/></td>
            <td><c:out value="${article.addedDate}"/></td>
            <td><a href="articles/${article.articleId}">delete</a></td>
        </tr>
    </c:forEach>
</table>

here is the controller to delete

@RequestMapping(value="/articles/{articleId}", method=RequestMethod.POST)
public String deleteContact(@PathVariable("articleId")
Integer articleId) {

    articleService.removeArticle(articleId);

    return "redirect:/articles.html";
}

this is the servcice layer

    @Transactional(propagation = Propagation.REQUIRED, readOnly = false)
public void removeArticle(Integer id) {
    articleDao.removeArticle(id);
}

this is the Dao layer (i try to find the article then to remove it)

    public void removeArticle(Integer id) {
            //to get the article
    Article article = (Article) sessionFactory.getCurrentSession().load(
            Article.class, id);
    if (null != article) {
        sessionFactory.getCurrentSession().delete(article);
    }

}

but when i run the project and i click the delete link, i have an 404 error Etat HTTP 404 - /Spring3Hibernate/articles/1 description The requested resource (/ Spring3Hibernate/articles/1) is not available

can somebody help me?

Are you sure the "a href"-part is sending a POST- and not a GET-request? — esaj, Feb 27 '11 at 13:58

danny.lesnik · Accepted Answer · 2011-02-27T15:24:27.780

5

 <td><a href="articles/${article.articleId}">delete</a></td>

This is standard GET request, but your controller is mapped to POST.

@RequestMapping(value="/articles/{articleId}", method=RequestMethod.POST)

In addition, it looks like very big security issue. I can write very simple 10 lines program which will call using get or post request to from /articles/1 to /articles/{any number} and delete your entire data. I recommend just to take it into consideration while designing such applications.

edited Feb 27 '11 at 15:24

answered Feb 27 '11 at 15:01

danny.lesnik

18,479
29
135
200

Can you provide some hints on preventing this security breach? – artaxerxe Dec 16 '14 at 11:21

score 0 · Answer 2 · answered Feb 27 '11 at 14:29

0

Try the request method to be DELETE. GET method is not advised for something that will change a value in the server/db. If you want to stick with post make it a form submit instead of a href

RequestMapping(value="/articles/{articleId}", method=RequestMethod.DELETE)

answered Feb 27 '11 at 14:29

Vinod R

1,218
10
13

But his link will still send the request as a GET. How would this work better than with RequestMethod.POST? – JB Nizet Feb 27 '11 at 14:39
I forgot to mention that, thanks for correcting. It has to be a post from the form. – Vinod R Feb 27 '11 at 16:27
HTTP Status 405 - Request method 'POST' not supported i tried all those still the above happens. delete request got converted to POST – shalu Apr 23 '15 at 12:11

Spring Mvc Controller - problem with delete

2 Answers2

Linked