Reputation: 132
Spring CSRF not working on Tomcat 7.0.28
I have a web application which uses Spring Security, version 4.0.1 and Spring version 4.1.6.
In every page of the web app I have the
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
parameter which sends the CSRF token to the server. Now my problem is that if I see the source code of the jsp I have
<input type="hidden" name="" value=""/>
so the token is not sent to the server and the post action results in the message HTTP Status 405 - Request method 'POST' not supported
If I deploy the same web application on Tomcat 7.0.5.x everything works fine, and it also works fine in WAS 7, WAS 8.5 and Jboss EAP 6.4.
I can not understand why on this version of Tomcat (7.0.28), which I downloaded from the web site without changing anything about configuration etc. , the CSRF protection offered by Spring Security is not working.
Upvotes: 0
Views: 1222
Answers (2)
Reputation: 291
Open tomacat/confg folder
see there is a file Context.xml and open it
change <Context> to <Context useHttpOnly="false">
then you have done.
Upvotes: 0
Reputation: 26
I faced the same problem: Tomcat 7.0.28 is not able to auto detect spring security filter.
My solution is to add this :
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
to the web.xml and try again.
Upvotes: 1
Related Questions
- CSRF protection not working with Spring Security 6
- Spring Boot security can not disable CSRF protection
- Spring Boot CSRF
- Cannot disable CSRF security in Spring Boot
- spring security csrf disable issue
- Spring Security CSRF Disable Not working
- Setting up CsrfPreventionFilter in Tomcat
- Tomcat 7 and CSRF filter
- SPRING CSRF throws 405 despite CSRF token in request
- Spring security csrf is null