java - Expected CSRF token not found. Has your session expired 403

Question

I'm trying to write my test spring security application with mkyong examples.

Spring Security: 4.0.0.RC1
Spring: 4.1.4.RELEASE

I have the following security config:

<http auto-config="true">
    <intercept-url pattern="/admin**" 
                    access="hasRole('ADMIN')"/>
    <form-login authentication-failure-url="/?auth_error" 
                        username-parameter="user" 
                        password-parameter="password" 
                        login-page="/"
                        default-target-url="/?OK"/>
<!-- <csrf/> -->
</http>

<authentication-manager>
    <authentication-provider>
        <user-service>
            <user name="mkyong" password="123456" authorities="ADMIN" />
        </user-service>
    </authentication-provider>
</authentication-manager>

login-page:

<html>
<body>
<form method="POST">
    <label for="user">User: </label>
    <input type="text" id="user" name="user" /> </br>
    <label for="password">Password: </label>
    <input type="text" name="password" id="password" /> </br>
    <input type="submit" /> 
</form>
</body>
</html>

Now, when I try to login I get 403 error page:

Invalid CSRF Token 'null' was found on the request parameter 
'_csrf' or header 'X-CSRF-TOKEN'.

description:

Access to the specified resource (Invalid CSRF Token 'null' was
found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.) has been 
forbidden.

What's wrong, how can I fix that? I commented csrf in the config, but the error-message has to do with the csrf.

Answer 1

I had the same problem. I use thymeleaf and Spring boot, and got the CSRF token issue when I try to post data in a form.

Here is my working solution:

1. Add this hidden input:

   <input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}" />

2. In your WebSecurityConfig (which extends WebSecurityConfigurerAdapter), add a method:

   private CsrfTokenRepository csrfTokenRepository() 
   { 
       HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository(); 
       repository.setSessionAttributeName("_csrf");
       return repository; 
   }
   

   and add code in method configure():

   @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf()
        .csrfTokenRepository(csrfTokenRepository())
   

I spent lot of time on this problem. Hope it can help someone who has the same problem.