Spring security csrf is null

Question

I have login form and I want to protect it against csrf atacks.

My spring-security.xml

<sec:http auto-config="true" use-expressions="true">
    ...
    <sec:csrf />
</sec:http>

My jsp-file (use tiles):

<form class="navbar-form navbar-right form-inline" method="POST" role="form"
  action="j_spring_security_check">
  <div class="form-group">
    <input class="form-control" type="email" name="j_username">
  </div>
  <div class="form-group">
    <input class="form-control" type="password" name="j_password">
  </div>
  <button class="btn btn-default" type="submit">Login</button>

  <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}">
</form>

I can authorize, but csrf is empty:

<input type="hidden" value="" name="">

Can anyone help me?

Answer 1

if you will apply security="none" then no csrf token will be generated. page will not pass through security filter. Use role ANONYMOUS.

I have not gone in details, but it is working for me.

<http auto-config="true" use-expressions="true">
    <intercept-url pattern="/login.jsp" access="hasRole('ANONYMOUS')" />
    <!-- you configuration -->
</http>

Answer 2

I've cleared .m2 directory and reimported all dependecies. It helps to me.

Answer 3

Are you sure you have JSTL setup properly? Have you tried using a tag instead? If the following works, then JSTL is probably not setup correctly:

<c:out value="${_csrf.parameterName}"/>

Just to be certain do you have any blocks? If so ensure you have not disabled security on the login form.