Problem:

Trace:

HTTP Status 403 - Could not verify the provided CSRF token because your session was not found.

type Status report

message Could not verify the provided CSRF token because your session was not found.

description Access to the specified resource has been forbidden.
Apache Tomcat/7.0.59
Could not verify the provided CSRF token

Could not verify the provided CSRF token

 

Solutions:

  1. Disable CSRF token in spring security.
  2. Pass CSRL token from login page

How to disable CSRL in spring security?:

1. First

Instead by default Spring Security’s CSRF protection will produce an HTTP 403 access denied. This can be customized by configuring the AccessDeniedHandler to process InvalidCsrfTokenException differently.

As of Spring Security 4.0, CSRF protection is enabled by default with XML configuration. If you would like to disable CSRF protection, the corresponding XML configuration can be seen below.

<http>
  <!-- ... -->
  <csrf disabled="true"/>
</http>
2. Second
@EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {

@Override
protected void configure(HttpSecurity http) throws Exception {
  http
  .csrf().disable();
}
}

 How to pass CSRL in login form?

<input type="hidden"
           name="${_csrf.parameterName}"
           value="${_csrf.token}"/>

Complete form is here:

<form method="post" action="/login">
    User Name : <input type="text" name="username">
    Password : <input type="password" name="password">
    <input type="hidden"
           name="${_csrf.parameterName}"
           value="${_csrf.token}"/>
    <input name="submit" value="Login" type="submit"/>
</form>

Ref: https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#csrf-configure

Was this post helpful?
Let us know, if you liked the post. Only in this way, we can improve us.
Yes
No

Leave a Reply

Your email address will not be published. Required fields are marked *