Could not verify the provided CSRF token because your session was not found

java spring spring-mvc spring-security

17,024

Solution 1

THIS IS THE ANSWER!

Ok so here the thing, from other question that literally have the same cause, mostly it will affect system that using Rest, header without form login. This mean that the webapp is in the container system. So the location of both system either container and the system in the container is completely different at client side.

Here are the example..

For container webapp:

 www.myweb.com/main/

For webapp in container:

www.myweb.com/main/child

This different will denied the access and give the 403 because for sure the this we are looking in are not exist there.

Example:

www.myweb.com/main/child/playground

The /playground uri is exist there but for sure is forbidden here:

www.myweb.com/main/playground

So please check your uri and try to make sure you are using a relative path. Its much more better.

P/s:For some reason, everything that being called from server side remain intact either the container or the system in the container.This happen because the server side using relative path,not absolute path.

Solution 2

Spring requires sending the csrf token on every form submit. To accomplish this is possible for example to insert the following code into a JSP:

<form>
[...]
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/> 
[...]
</form>

Best regards

17,024

Author by

FreezY

People afraid of thing they cant control~

Updated on June 04, 2022

Comments

FreezY almost 2 years

I've been searching about this problem but still cannot be avoid. The problem only come when I'm trying to make an ajax call. The system will return error Could not verify the provided CSRF token because your session was not found.

Based from Spring MVC and CSRF Integration, I need to included @EnableWebSecurity to resolve this if I'm using Java Config, but if using XML, need to use this :

@RestController
public class CsrfController {

    @RequestMapping("/csrf")
    public CsrfToken csrf(CsrfToken token) {
        return token;
    }
}

And I'm not sure how to use above class.

The question is how to use above class if its really a solution or are there any solution I can use?

This is my security config xml file;

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
    xmlns:util="http://www.springframework.org/schema/util"
    xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:c="http://www.springframework.org/schema/c"
    xmlns:p="http://www.springframework.org/schema/p"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:aop="http://www.springframework.org/schema/aop"
    xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security.xsd
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
        http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop.xsd
        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd">

    <!-- Global Security Settings -->
    <global-method-security pre-post-annotations="enabled" />
    <context:component-scan base-package="com.my.web" />

    <!-- Reads WEB Configuration file to resolve ${} and read @Value for Security-->
    <context:property-placeholder location="classpath:cfg/web.cfg" />
    <context:annotation-config />

    <!-- Security Access Configuration -->

    <http auto-config="false" use-expressions="true" authentication-manager-ref="CAP" disable-url-rewriting="true" entry-point-ref="IAE">

        <session-management  session-fixation-protection="newSession" session-authentication-error-url="/logout?timeout" >
            <concurrency-control max-sessions="1" expired-url="/logout?expired" />
        </session-management>
        <custom-filter position="PRE_AUTH_FILTER" ref="entryFilter" />
        <intercept-url pattern="/resources/**" access="permitAll()" requires-channel="https" />
        <intercept-url pattern="/clearcache" access="permitAll()" requires-channel="https" />
        <intercept-url pattern="/logout" access="permitAll()" requires-channel="https" />
        <intercept-url pattern="/**" access="isFullyAuthenticated()" requires-channel="https" />

        <port-mappings >
            <port-mapping http="7001" https="7002"  />
        </port-mappings>

    <headers>
        <frame-options policy="SAMEORIGIN" />
        <hsts />
        <cache-control />
        <xss-protection />
        <content-type-options />
    </headers>

    </http>

    <beans:bean id="entryFilter" class="com.my.web.security.HeaderFilter" >
        <beans:property name="authenticationManager" ref="CAP"/>
        </beans:bean>
    <beans:bean id="IAE" class="com.my.web.security.CustomAuthenticationEntryPoint" />
    <beans:bean id="CAP" class="com.my.web.security.CustomAuthenticationManager" />

    <beans:import resource="../aop/aspect-security.xml" />
</beans:beans>

In addition, I'm a using system similar like CA Siteminder which will validated the user based on header info with no login form.