0

I am using Spring Security 4. Everything works fine until I decided to turn on CSRF to keep website security. But I am getting confused after reading lots of relevant documents. Here is the question:

I have back-end services with Spring MVC and Spring Security running on Computer A, on Computer B I have all the front-end HTML. New I want to login in from webpages in Computer B, it always says Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'. I think the CSRF token is generated by Computer A, but how can I obtain it so that I can include it in the following request?

Thanks

Steven Luo
  • 2,350
  • 3
  • 18
  • 35

1 Answers1

0

Have you added following tag in your login form.

<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>

Please refer to spring documentation for more details.

http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#csrf-include-csrf-token

Pratik Shah
  • 1,782
  • 1
  • 15
  • 33
shankarsh15
  • 1,947
  • 1
  • 11
  • 16
  • Yes. I have tried that. Actually I think `${_csrf.token}` should be replaced with the real token when submit the request, is it right? – Steven Luo May 18 '16 at 05:11
  • OK, then my question is if the token is generated by the Spring Security, how does the client computer know it? i.e., how to find the value to replace "${_csrf.token}". – Steven Luo May 18 '16 at 06:04
  • Actually It is populated automatically,You just have to enable @EnableWebSecurity on your server side application.Please follow the docs http://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html – shankarsh15 May 18 '16 at 06:37
  • I have followed this tutorial exactly. `` is added. However, `Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.` is shown. Here is the form data sent: `username:xxxxx` `password:yyyyy` `${_csrf.parameterName}:${_csrf.token}` `remember-me:false` – Steven Luo May 19 '16 at 00:33