Spring Security : Call from external website unable to redirect to our application Code Answer

Hello Developer, Hope you guys are doing great. Today at Tutorial Guruji Official website, we are sharing the answer of Spring Security : Call from external website unable to redirect to our application without wasting too much if your time.

The question is published on by Tutorial Guruji team.

We are developing a Spring based web application, which is using Spring Security 3.2.3. We are integrating with an external payment gateway (Paytm) for accepting user’s payments. Following is a scenario where we are facing issue:

  1. User logs in to the application (it’s an HTTP non-S app) and clicks on a button which redirects him to the payment gateway (Paytm payment gateway – it’s HTTPS url).
  2. For Paytm integration, we have configured a callback URL i.e. index page of our application (eg. http://server:port/app/index.jsp). User completes the payment and Paytm redirects the control back to our Spring application.
  3. When Paytm tries to call our app’s index page (eg. http://server:port/app/index.jsp), it fails and in Chrome debugger, we could see a 403 Forbidden response.
  4. However, this scenario works well in Mozilla Firexfox and IE 11. The issue in only seen in Google Chrome and Operabrowsers.
  5. We tried by providing some other website in callback URL (like https://google.com) and the redirection went successful.

What we are suspecting is it might be some config issue or missing setting in Spring Security, but which we are not sure of.

This is our Spring Security config:

<http auto-config="true" use-expressions="true">
        <!-- Un-comment when authorization is implemented -->
        <intercept-url pattern="/**" access="isAuthenticated()"/>
        <form-login authentication-failure-handler-ref="failureHandler"
            authentication-success-handler-ref="successHandler" />
        <intercept-url pattern="/**" />
        <logout logout-success-url="${login.page.url}" />

    <authentication-manager alias="authenticationManager">
            <password-encoder ref="encoder" />
            <jdbc-user-service data-source-ref="dataSource"
                users-by-username-query="select gu.email, gu.password, gu.enabled from global_user gu,global_organization_user gou, global_organization go where email=? and gu.enabled=1 and gu.is_deleted=0 and gou.user_id = gu.id and gou.organization_id=go.id and go.current_stage='ACTIVE' and go.is_deleted=0"
                authorities-by-username-query="select u.email, r.role_id from global_user u, security_user_role r
                where u.id = r.user_id and u.email=?" />

    <beans:bean id="encoder"
        class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />
    <beans:bean id="successHandler"
        class="app.server.security.authentication.AuthenticationSuccessHandler" />
    <beans:bean id="failureHandler"
        class="app.server.security.authentication.AuthenticationFailureHandler" />

    <beans:bean id="expressionHandler"
        <beans:property name="permissionEvaluator" ref="authorizationEvaluator">

    <beans:bean id="authorizationEvaluator"
        class="app.server.security.authorization.AuthorizationEvaluator" />

    <global-method-security pre-post-annotations="enabled">
        <expression-handler ref="expressionHandler" />

    <http pattern="/rest/app/someurl**" security="none"/>
    // other URLs which are escaped from spring security

Any suggestions and pointers are appreciated.


This issue is temporarily solved by redirecting the payment gateway response to an intermediate URL (we created a separate web project and provided its link). This intermediate URL then redirects the control to our Spring application.

We are here to answer your question about Spring Security : Call from external website unable to redirect to our application - If you find the proper solution, please don't forgot to share this with your team members.

Related Posts

Tutorial Guruji