8

I'm following the Spring Security reference, and I've got redirection to a custom login page working as described in section 3.3. However, I'm not sure how to get the CSRF token in Mustache (all the examples use JSP). I've tried a few naïve things like this...

{{#_csrf}}
    <input type="hidden" name="{{parameterName}}" value="{{token}}"/>
{{/_csrf}}

...and this...

{{#CsrfToken}}
    <input type="hidden" name="{{parameterName}}" value="{{token}}"/>
{{/CsrfToken}}

...but they don't work (and I didn't really expect them to). How can I get the CSRF token in Mustache?

I'm also wondering: Where could I set a breakpoint in my code to see what Spring Security is sending as the model to my custom login view?)

Rob Johansen
  • 5,076
  • 10
  • 40
  • 72
  • 1
    Spring Security doesn't send the model; that's the Spring MVC `DispatcherServlet`. If you're going to use a template engine such as Mustache that doesn't have out-of-the-box integration, you'll need to look up the CSRF token in your controller and add it to the model yourself. – chrylis -cautiouslyoptimistic- Oct 16 '14 at 05:56
  • 1
    @chrylis - You were right on; thanks for your help. I added an `HttpServletRequest` argument to my `@RequestMapping` handler method and got an instance of `CsrfToken` from the "_csrf" attribute. If you add an answer, I'll accept it. – Rob Johansen Oct 17 '14 at 03:36
  • 1
    Like this: CsrfToken token = (CsrfToken) httpServletRequest.getAttribute("_csrf"); model.addAttribute("token", token.getToken()); http://stackoverflow.com/questions/20862299/with-spring-security-3-2-0-release-how-can-i-get-the-csrf-token-in-a-page-that – sanrodari Apr 15 '15 at 15:39

3 Answers3

3

Add this to yourapplication.properties:

spring.mustache.expose-request-attributes=true

Then you have access to the _csrf request attribute in your template.

smiggle
  • 1,259
  • 6
  • 16
1

Add this to your application.properties:

spring.mustache.servlet.expose-request-attributes=true

Then you have access to the _csrf request attribute in your template.

Property was renamed from spring.mustache.expose-request-attributes in Spring Boot version 2.7.0.

Issue: https://github.com/spring-projects/spring-boot/issues/28858

Sergey
  • 31
  • 2
0

I am not sure from which version this is available, but you can just add a parameter for CsrfToken on your controller method to get the token to be passed into the model, like so:

@GetMapping("/dashboard")
public String dashboard(CsrfToken csrfToken, Model model) {
    model.addAttribute("_csrf", csrfToken);
    // render page
}

You don't have to use HttpServletRequest. Now you can use your first template.

If the above is too tedious to do for each controller methods, we can register an interceptor instead.

Interceptor:

public class CsrfTokenInterceptor implements HandlerInterceptor {
    @Override
    public void postHandle(HttpServletRequest request, HttpServletResponse response,
                           Object handler, ModelAndView modelAndView) throws Exception {
        CsrfToken csrfToken = (CsrfToken) request.getAttribute("_csrf");
        if (modelAndView != null) {
            modelAndView.addObject("_csrf", csrfToken);
        }
    }
}

Bean:

@Configuration
public class Config {
    @Bean
    public CsrfTokenInterceptor csrfTokenInterceptor() {
        return new CsrfTokenInterceptor();
    }
}

Add interceptor in WebMvcConfigurer:

@Configuration
public class WebMvcConfig implements WebMvcConfigurer {
    @Autowired
    CsrfTokenInterceptor csrfTokenInterceptor;

    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(csrfTokenInterceptor);
    }
}
burhanloey
  • 33
  • 1
  • 4