Reputation: 2516
Error HTTP Status 403 - Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'
Hi I am new to Spring security , i am using the example mentioned here by Mkyong, i am using the annotation based example presented on this tutorial, but it always through an exception whenever i enter value into login form and click on submit button as below.
type Status report
message Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'.
description Access to the specified resource has been forbidden.
I tried google it but didnt find any suitable answer, that solves this problem. the security config class is below.
SecurityConfig.java
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
@Qualifier("authenticationProvider")
AuthenticationProvider authenticationProvider;
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/admin/**")
.access("hasRole('ROLE_USER')").and().formLogin()
.loginPage("/login").failureUrl("/login?error")
.usernameParameter("username")
.passwordParameter("password")
.and().logout().logoutSuccessUrl("/login?logout").and().csrf();
}
}
and
login.jsp form is below
<form name='loginForm'
action="<c:url value='/login'/>" method='POST' enctype="multipart/form-data">
<table>
<tr>
<td>User:</td>
<td><input type='text' name='username'></td>
</tr>
<tr>
<td>Password:</td>
<td><input type='password' name='password' /></td>
</tr>
<tr>
<td colspan='2'><input name="submit" type="submit"
value="submit" /></td>
</tr>
</table>
<input type="hidden" name="${_csrf.parameterName}"
value="${_csrf.token}" />
</form>
Please help me to come out from this issue.
Upvotes: 0
Views: 6212
Answers (2)
Reputation: 1424
Problem is with multipart form type, you just need to use this
<form name='loginForm'
action="<c:url value='/login'/>" method='POST'>
instead your original below
<form name='loginForm'
action="<c:url value='/login'/>" method='POST' enctype="multipart/form-data">
If you need to use form type as multipart form than Add a MultipartFilter to web.xml ensuring that it is added before the Spring Security configuration:
<filter>
<display-name>springMultipartFilter</display-name>
<filter-name>springMultipartFilter</filter-name>
<filter-class>org.springframework.web.multipart.support.MultipartFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>springMultipartFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Upvotes: 1
Reputation: 1287
Please add the below code to your security config and see if it makes any diff
.and()
.csrf().disable();
Upvotes: 4
Related Questions
- Security configuration with Spring-boot
- When I submit post request to the built-in /login of spring-security, get response "There was an unexpected error (type=Not Found, status=404)
- Spring boot security consider case insensitive username check for login
- Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'
- HTTP Status 403 - Invalid CSRF Token '9ee6949c-c5dc-4d4b-9d55-46b75abc2994' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'
- HTTP Status 403 - Invalid CSRF Token 'null' was found on the request parameter
- Spring Security: AuthenticationProvider and UserDetailsService not working as expected
- In Broadleaf Project HTTP Status 403 - Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'