HTTP Status 403 - Expected CSRF token not found. Has your session expired?
Solution 1
http.csrf().disable();
should be added in your class public class SecurityConfiguration extends WebSecurityConfigurerAdapter
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers("/login.xhtml").permitAll()
.antMatchers("/pages/**").access("isAuthenticated()")
.antMatchers("/run**").access("isAuthenticated()")
.and().formLogin().loginProcessingUrl("/login").loginPage("/login.xhtml")
.successHandler(successHandler)
.failureHandler(failureHandler).defaultSuccessUrl("/pages/dashboard.xhtml")
.usernameParameter("username")
.passwordParameter("password")
.and().sessionManagement().maximumSessions(2).maxSessionsPreventsLogin(true);
http.csrf().disable();
}
}
http.csrf().disable()
is supported in spring security 4.0.1 (I have look at 3.2.3 doc, and it is already there Class HttpSecurity)
I think there is something wrong in your configuration setting.
Please post all the related code. e.g. build.gradle for Gradle or pom.xml for Maven, web.xml, all spring configuration code, etc
Solution 2
I assume you configuration implements WebSecurityConfigurer (for example by extending WebSecurityConfigurerAdapter).
If so, you are able to set http.csrf().disable();
in the overwritten configure method. Double check your dependencies, or show us the complete configuration code.
That being said, i suggest you not to disable it, but instead implement the correct usage. Take a look at the spring security reference documentation how to use the CSRF token.
This tutorial might be of some use too.
Update(for your updated question):
You let your MyConfiguration
class extends WebMvcConfigurerAdapter
(for MVC).
Are you 100% certain that this is not working? Because it works for me.
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests().antMatchers("/login.xhtml").permitAll()
.antMatchers("/pages/**").access("isAuthenticated()")
.antMatchers("/run**").access("isAuthenticated()")
.and()
.formLogin()
.loginProcessingUrl("/login")
.loginPage("/login.xhtml")
.successHandler(successHandler)
.failureHandler(failureHandler).defaultSuccessUrl("/pages/dashboard.xhtml")
.usernameParameter("username").passwordParameter("password")
.and().sessionManagement().maximumSessions(2)
.maxSessionsPreventsLogin(true);
}
You have to add another configuration class that extends WebSecurityConfigurerAdapter
(for Spring Security). In that configuration you can override the SecurityConfigurer#configure(...) method.
Alina
Updated on June 12, 2022Comments
-
Alina almost 2 years
I'm using spring security 4.0.1. As soon as I login, it displays my dashboard. When I click on something it gives me the following error page:
HTTP Status 403 - Expected CSRF token not found. Has your session expired?
I've done some research on it and it says I need to add this http.csrf().disable(). I'm not able to add it since it tells me that the method and is undefined for the type httpsecurity.
Please find below the configuration code:
@Configuration @EnableWebSecurity public class SecurityConfiguration extends WebSecurityConfigurerAdapter { @Autowired @Qualifier("userDetailsServiceImpl") UserDetailsService userDetailsService; @Autowired SuccessHandler successHandler; @Autowired FailureHandler failureHandler; @Autowired public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception { ShaPasswordEncoder encoder = new ShaPasswordEncoder(); auth.userDetailsService(userDetailsService).passwordEncoder(encoder); } @Override protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/login.xhtml").permitAll() .antMatchers("/pages/**").access("isAuthenticated()") .antMatchers("/run**").access("isAuthenticated()") .and().formLogin().loginProcessingUrl("/login").loginPage("/login.xhtml") .successHandler(successHandler) .failureHandler(failureHandler).defaultSuccessUrl("/pages/dashboard.xhtml") .usernameParameter("username") .passwordParameter("password") .and().sessionManagement().maximumSessions(2).maxSessionsPreventsLogin(true); } }
Login.xhtml
<!DOCTYPE html> <f:view> <h:head> <meta http-equiv="content-type" content="text/html; charset=UTF-8" /> </script><script src="js/jquery-1.js"></script> <script src="js/adpacks-demo.js" type="text/javascript"></script> <script src="js/bsa.js" type="text/javascript"></script> </h:head> <h:body> <form id="login" action='#{request.contextPath}/login' method='POST'> <h1>Log In</h1> <fieldset id="inputs"> <input id="username" type="text" name="username" placeholder="Username" /> <input id="password" type="password" name="password" placeholder="Password" /> </fieldset> <fieldset id="actions"> <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}" /> <input id="submit" value="Log in" type="submit" /><a href="">Forgot your password?</a> </fieldset> </form> </h:body>
MyConfiguration.java
@Configuration @EnableWebMvc @ComponentScan(basePackages = "com.car") public class MyConfiguration extends WebMvcConfigurerAdapter { @Bean(name="HelloWorld") public ViewResolver viewResolver() { InternalResourceViewResolver viewResolver = new InternalResourceViewResolver(); viewResolver.setViewClass(JstlView.class); viewResolver.setPrefix("/web-inf"); viewResolver.setSuffix(".xhtml"); return viewResolver; } /* * Configure ResourceHandlers to serve static resources like CSS/ Javascript etc... */ @Override public void addResourceHandlers(ResourceHandlerRegistry registry) { registry.addResourceHandler("/webapp/**").addResourceLocations("/webapp/"); }
}
SecurityWebApplicationInitializer.java
public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer { }
AppConfig.java
@Configuration public class AppConfig { @Bean public SuccessHandler successHandler() { return new SuccessHandler(); } @Bean public FailureHandler failureHandler() { return new FailureHandler(); } }
Web.xml
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0"> <context-param> <param-name>javax.faces.DEFAULT_SUFFIX</param-name> <param-value>.xhtml</param-value> </context-param> <context-param> <param-name>javax.faces.VALIDATE_EMPTY_FIELDS</param-name> <param-value>false</param-value> </context-param> <welcome-file-list> <welcome-file>login.xhtml</welcome-file> </welcome-file-list> <servlet> <servlet-name>Faces Servlet</servlet-name> <servlet-class>javax.faces.webapp.FacesServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>Faces Servlet</servlet-name> <url-pattern>*.xhtml</url-pattern> </servlet-mapping> <context-param> <param-name>com.sun.faces.expressionFactory</param-name> <param-value>com.sun.el.ExpressionFactoryImpl</param-value> </context-param> <servlet> <description>generated-servlet</description> <servlet-name>CAR Servlet</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <init-param> <param-name>contextConfigLocation</param-name> <param-value>classpath:CAR-web-context.xml</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> <listener> <listener-class> org.springframework.security.web.session.HttpSessionEventPublisher </listener-class> </listener> <listener> <listener-class> org.springframework.web.context.request.RequestContextListener</listener-class> </listener> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <filter> <description> generated-spring-security-session-integration-filter </description> <filter-name>SpringSecuritySessionIntegrationFilter</filter-name> <filter-class> org.springframework.security.web.context.SecurityContextPersistenceFilter</filter-class> </filter> <filter> <description>generated-persistence-filter</description> <filter-name>CARFilter</filter-name> <filter-class> org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter</filter-class> <init-param> <param-name>entityManagerFactoryBeanName</param-name> <param-value>CAR</param-value> </init-param> </filter> <filter> <description>generated-sitemesh-filter</description> <filter-name>Sitemesh Filter</filter-name> <filter-class>com.opensymphony.module.sitemesh.filter.PageFilter</filter-class> </filter> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> <init-param> <param-name>contextAttribute</param-name> <param-value>org.springframework.web.servlet.FrameworkServlet.CONTEXT.dispatcher</param-value> </init-param> </filter> <filter-mapping> <filter-name>SpringSecuritySessionIntegrationFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>HRBFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>Sitemesh Filter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <persistence-unit-ref> <persistence-unit-ref-name>persistence/CAR</persistence-unit-ref-name> <persistence-unit-name>CAR</persistence-unit-name> </persistence-unit-ref> <persistence-context-ref> <persistence-context-ref-name>persistence/CAR</persistence-context-ref-name> <persistence-unit-name>CAR</persistence-unit-name> </persistence-context-ref> </web-app>
Pom.xml
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> <properties> <spring.version>4.0.2.RELEASE</spring.version> <spring.security.version>3.2.5.RELEASE</spring.security.version> </properties> <dependencies> <dependency> <groupId>org.springframework.security.oauth</groupId> <artifactId>spring-security-oauth2</artifactId> <version>2.0.7.RELEASE</version> </dependency> <dependency> <groupId>junit</groupId> <artifactId>junit</artifactId> <version>3.8.1</version> <scope>test</scope> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-aspects</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-instrument</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-instrument-tomcat</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-tx</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-jms</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-oxm</artifactId> <version>${spring.version}</version> <exclusions> <exclusion> <groupId>commons-lang</groupId> <artifactId>commons-lang</artifactId> </exclusion> </exclusions> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-web</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-webmvc-portlet</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-struts</artifactId> <version>3.1.1.RELEASE</version> <exclusions> <exclusion> <groupId>xalan</groupId> <artifactId>xalan</artifactId> </exclusion> <exclusion> <groupId>oro</groupId> <artifactId>oro</artifactId> </exclusion> <exclusion> <groupId>commons-digester</groupId> <artifactId>commons-digester</artifactId> </exclusion> </exclusions> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-core</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-beans</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-context</artifactId> <version>${spring.version}</version> </dependency> <dependency> <groupId>org.springframework</groupId> <artifactId>spring-context-support</artifactId> <version>${spring.version}</version> </dependency> <dependency> <!-- Usata da Hibernate 4 per LocalSessionFactoryBean --> <groupId>org.springframework</groupId> <artifactId>spring-orm</artifactId> <version>3.1.0.RELEASE</version> </dependency> <dependency> <groupId>org.aspectj</groupId> <artifactId>aspectjweaver</artifactId> <version>1.6.9</version> </dependency> <dependency> <groupId>cglib</groupId> <artifactId>cglib-nodep</artifactId> <version>2.2</version> </dependency> <dependency> <groupId>commons-pool</groupId> <artifactId>commons-pool</artifactId> <version>1.5.3</version> </dependency> <dependency> <groupId>commons-collections</groupId> <artifactId>commons-collections</artifactId> <version>3.2</version> </dependency> <dependency> <groupId>commons-httpclient</groupId> <artifactId>commons-httpclient</artifactId> <version>3.1</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-core</artifactId> <version>${spring.security.version}</version> <exclusions> <exclusion> <groupId>org.springframework</groupId> <artifactId>spring-aop</artifactId> </exclusion> <exclusion> <groupId>org.springframework</groupId> <artifactId>spring-expression</artifactId> </exclusion> <exclusion> <groupId>org.springframework</groupId> <artifactId>spring-context</artifactId> </exclusion> <exclusion> <groupId>org.springframework</groupId> <artifactId>spring-beans</artifactId> </exclusion> <exclusion> <groupId>org.springframework</groupId> <artifactId>spring-core</artifactId> </exclusion> </exclusions> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-web</artifactId> <version>${spring.security.version}</version> <exclusions> <exclusion> <groupId>org.springframework</groupId> <artifactId>spring-core</artifactId> </exclusion> <exclusion> <groupId>org.springframework</groupId> <artifactId>spring-tx</artifactId> </exclusion> <exclusion> <groupId>org.springframework</groupId> <artifactId>spring-web</artifactId> </exclusion> <exclusion> <groupId>org.springframework</groupId> <artifactId>spring-aop</artifactId> </exclusion> <exclusion> <groupId>org.springframework</groupId> <artifactId>spring-jdbc</artifactId> </exclusion> <exclusion> <groupId>org.springframework</groupId> <artifactId>spring-context</artifactId> </exclusion> <exclusion> <groupId>org.springframework</groupId> <artifactId>spring-beans</artifactId> </exclusion> <exclusion> <groupId>org.springframework</groupId> <artifactId>spring-expression</artifactId> </exclusion> </exclusions> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-acl</artifactId> <version>${spring.security.version}</version> <exclusions> <exclusion> <groupId>org.springframework</groupId> <artifactId>spring-aop</artifactId> </exclusion> <exclusion> <groupId>org.springframework</groupId> <artifactId>spring-jdbc</artifactId> </exclusion> <exclusion> <groupId>org.springframework</groupId> <artifactId>spring-context</artifactId> </exclusion> <exclusion> <groupId>org.springframework</groupId> <artifactId>spring-core</artifactId> </exclusion> <exclusion> <groupId>org.springframework</groupId> <artifactId>spring-tx</artifactId> </exclusion> </exclusions> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-aspects</artifactId> <version>${spring.security.version}</version> <exclusions> <exclusion> <groupId>org.springframework</groupId> <artifactId>spring-beans</artifactId> </exclusion> <exclusion> <groupId>org.springframework</groupId> <artifactId>spring-context</artifactId> </exclusion> <exclusion> <groupId>org.springframework</groupId> <artifactId>spring-core</artifactId> </exclusion> </exclusions> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-cas</artifactId> <version>${spring.security.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-config</artifactId> <version>${spring.security.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-ldap</artifactId> <version>${spring.security.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-openid</artifactId> <version>${spring.security.version}</version> <exclusions> <exclusion> <groupId>com.google.inject</groupId> <artifactId>guice</artifactId> </exclusion> </exclusions> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-remoting</artifactId> <version>${spring.security.version}</version> </dependency> <dependency> <groupId>org.springframework.security</groupId> <artifactId>spring-security-taglibs</artifactId> <version>${spring.security.version}</version> </dependency> </project>
-
Alina over 8 yearsI have post all my config file. Can you tell me where should I include this? http.csrf().disable();
-
Ortwin Angermeier over 8 yearsI have updated my answer in accordance to your updated question.
-
Alina over 8 yearsI forgot to tell you something. The class where I have this method, "protected void configure(HttpSecurity http) throws Exception " it's already extending WebSecurityConfigurerAdapter. See updated post.
-
Ortwin Angermeier over 8 yearsPlease post the complete configuration class, not only the configure method! If you have a stack trace, post that too.
-
Alina over 8 yearsOk When I add this, I get the following error: Injection of autowired dependencies failed; nested exception is org.springframework.beans.factory.BeanCreationException: Could not autowire field: private org.springframework.security.authentication.encoding.PasswordEncoder mu.sil.access.component.impl.UsersComponentImpl.passwordEncoder; nested exception is org.springframework.beans.factory.NoSuchBeanDefinitionException: No qualifying bean of type [org.springframework.security.authentication.encoding.PasswordEncoder]
-
Alina over 8 yearsI configured my DispatcherServlet in my web.xml instead of doing it in Java config. Is it possible? Will it work properly?
-
Juan Carlos González almost 8 yearsFor those like me, reaching this question after a while, Spring Security 4.0 added the following in order to disable CSRF validation for some paths: csrf().ignoringAntMatchers(......).
-
Christian over 6 yearsCSRF anti-measures should be used correctly, not disabled.