Springframework security, cannot submit html forms for POST method

Question

I have configured Springframework security (4.0) for my springframework RESTful services. Things went well for browser-launched GET accesses, and html form where action=GET, but failed for services where method=requestMethod.POST, either from a browser by submitting an HTML form with action=POST; or by using RestTemplate from a remote application.

To see the problem, I simplified the configuration to the following. With this, I could access all services of Method=GET without being challenged for credentials (seems to be right), but receive a failure with the "accessDeniedPage" (I have never been challenged for credentials)

All services are under "/CouponController/**":

@Override
protected void configure (HttpSecurity http) throws Exception { 
  http.authorizeRequests()
    .antMatchers("/CouponController/**").permitAll()
    .and().formLogin().permitAll()
   .and().exceptionHandling().accessDeniedPage("/Accesses_Denied_Due_To_Security_failure");
}

If I use the following configure, I would be challenged for credential when accessing services of method=GET while would still see the same behavior when accessing the services of Method=POST:

@Override
protected void configure (HttpSecurity http) throws Exception { 
  http.authorizeRequests()
    .antMatchers("/CouponController/**").access("hasRole('STAFF')")
    .and().formLogin().permitAll()
   .and().exceptionHandling().accessDeniedPage("/Accesses_Denied_Due_To_Security_failure");
}

What did I do incorrectly?

Answer 1

The reason it fails is because there is no CSRF token in the form.

If you add the following Spring form taglib included on your page:

<%@ taglib prefix="form" uri="http://www.springframework.org/tags/form" %>

Use Springs <form:form> tag in your JSP instead of a standard HTML <form> it would add the (highly recommended) CSRF token automatically to your form.

This would be more secure and is good practice instead of disabling the feature.

Alternatively if you want to use a standard HTML <form> you can add the following hidden field and Spring Security will handle the rest:

<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" />

Answer 2

I found the reason for my form submissions failures.

The spring security, by default, enables csrf, both for XML and Java configurations. This caused my code to fail for form submission because the form I am submitting does not contain csrf token. Unfortunately, the error message was only "404 requested resource not available" when I used Java configuration. The error message becomes informative when I switched to XML configuration.

After I disable csrf, the form submission was successful. Now, I need to go back, and figure out how to include a csrf token in my form.

Hope this helps.