Invalid CSRF Token null was found on the request parameter csrf or header X-CSRF-TOKEN

Question

After configuring Spring Security 3 2   csrf token is not bound to a request or a session object   This is the spring security config    lt http pattern   login jsp  security  none   gt    lt http gt       lt intercept-url pattern       access  ROLE USER   gt       lt form-login login-page   login jsp                  authentication-failure-url   login jsp error 1                  default-target-url   index jsp   gt       lt logout  gt       lt csrf   gt   lt  http gt    lt authentication-manager gt       lt authentication-provider gt           lt user-service gt               lt user name  test  password  test  authorities  ROLE USER  gt           lt  user-service gt       lt  authentication-provider gt   lt  authentication-manager gt    The login jsp file   lt form name  f  action    contextPath  j spring security check  method  post   gt       lt input type  hidden  name     csrf parameterName   value     csrf token     gt       lt button id  ingresarButton              name  submit              type  submit              class  right              style  margin-right  10px   gt Ingresar lt  button gt       lt span gt           lt label for  usuario  gt Usuario   lt  label gt           lt input type  text  name  j username  id  u  class    value     gt       lt  span gt       lt span gt           lt label for  clave  gt Contrase amp ntilde a   lt  label gt            lt input type  password                 name  j password                 id  p                 class                   onfocus  vc psfocus   1                  value    gt       lt  span gt   lt  form gt    And it renders the next html    lt input type  hidden  name    value      gt    The result is 403 HTTP status   Invalid CSRF Token  null  was found on the request parameter   csrf  or header  X-CSRF-TOKEN     UPDATE After some debug  the request object gets out fine form DelegatingFilterProxy  but in the line 469 of CoyoteAdapter it executes request recycle    that erases all the attributes     I test in Tomcat 6 0 36  7 0 50 with JDK 1 7   I have not understood this behavior  rather than  it would be possible if someone point me in the direction of some application sample war with Spring Security 3 2 that works with CSRF

User · Answer

I used to have the same problem   Your config use security  none  so cannot generate  csrf    lt http pattern   login jsp  security  none   gt    you can set access  IS AUTHENTICATED ANONYMOUSLY  for page  login jsp replace above config    lt http gt       lt intercept-url pattern   login jsp   access  IS AUTHENTICATED ANONYMOUSLY   gt       lt intercept-url pattern       access  ROLE USER   gt       lt form-login login-page   login jsp              authentication-failure-url   login jsp error 1              default-target-url   index jsp   gt       lt logout  gt       lt csrf   gt   lt  http gt

User · Answer

Shouldn t you add to the login form     lt input type  hidden  name     csrf parameterName   value     csrf token    gt     As stated in the here in the Spring security documentation

User · Answer

i think csrf only works with spring forms   lt    taglib prefix  form  uri  http   www springframework org tags form    gt    change to form form tag and see it that works

User · Answer

Please see my working sample application on Github and compare with your set up

User · Answer

If you will apply security  none  then no csrf token will be generated  The page will not pass through security filter  Use role ANONYMOUS   I have not gone in details  but it is working for me     lt http auto-config  true  use-expressions  true  gt      lt intercept-url pattern   login jsp  access  hasRole  ANONYMOUS      gt      lt  -- you configuration -- gt      lt  http gt

User · Answer

In your controller add the following    RequestParam value     csrf   required   false  String csrf   And on jsp page add   lt form form modelAttribute  someName  action  someURI    csrf parameterName     csrf token

User · Answer

Spring documentation to disable csrf  https   docs spring io spring-security site docs current reference html csrf html csrf-configure   EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter        Override    protected void configure HttpSecurity http  throws Exception         http csrf   disable

User · Answer

Try to change this   lt csrf   gt   to this    lt csrf disabled  true   gt   It should disable csfr

User · Answer

Neither one of the solutions worked form me  The only one that worked for me in Spring form is   action    upload    csrf parameterName     csrf token    REPLACED WITH   action    upload  csrf    csrf token     Spring 5 with enabled csrf in java configuration

User · Answer

It looks like the CSRF  Cross Site Request Forgery  protection in your Spring application is enabled  Actually it is enabled by default    According to spring io      When should you use CSRF protection  Our recommendation is to use CSRF   protection for any request that could be processed by a browser by   normal users  If you are only creating a service that is used by   non-browser clients  you will likely want to disable CSRF protection    So to disable it    Configuration public class RestSecurityConfig extends WebSecurityConfigurerAdapter      Override   protected void configure HttpSecurity http  throws Exception       http csrf   disable            If you want though to keep CSRF protection enabled then you have to include in your form the csrftoken  You can do it like this    lt form       gt        other fields here        lt input type  hidden   name     csrf parameterName     value     csrf token    gt   lt  form gt    You can even include the CSRF token in the form s action    lt form action    upload    csrf parameterName     csrf token   method  post  enctype  multipart form-data  gt

User · Answer

With thymeleaf you may add    lt input type  hidden  th name     csrf parameterName   th value     csrf token    gt

[spring] Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'

Examples related to spring

Examples related to spring-security

Examples related to csrf

Examples related to csrf-protection