Table of Contents
Problem:
Trace:
HTTP Status 403 - Could not verify the provided CSRF token because your session was not found. type Status report message Could not verify the provided CSRF token because your session was not found. description Access to the specified resource has been forbidden. Apache Tomcat/7.0.59
Could not verify the provided CSRF token
Solutions:
- Disable CSRF token in spring security.
- Pass CSRL token from login page
How to disable CSRL in spring security?:
1. First
Instead by default Spring Security’s CSRF protection will produce an HTTP 403 access denied. This can be customized by configuring the AccessDeniedHandler to process InvalidCsrfTokenException differently.
As of Spring Security 4.0, CSRF protection is enabled by default with XML configuration. If you would like to disable CSRF protection, the corresponding XML configuration can be seen below.
<http> <!-- ... --> <csrf disabled="true"/> </http>
2. Second
@EnableWebSecurity
public class WebSecurityConfig extends
WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.csrf().disable();
}
}
How to pass CSRL in login form?
<input type="hidden"
name="${_csrf.parameterName}"
value="${_csrf.token}"/>Complete form is here:
<form method="post" action="/login">
User Name : <input type="text" name="username">
Password : <input type="password" name="password">
<input type="hidden"
name="${_csrf.parameterName}"
value="${_csrf.token}"/>
<input name="submit" value="Login" type="submit"/>
</form>Ref: https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#csrf-configure
Was this post helpful?
Let us know if you liked the post. That’s the only way we can improve.
