Question: Expected CSRF token not found Spring Security

Question

Expected CSRF token not found Spring Security

Answers 1
Added at 2016-12-16 20:12
Tags
Question

This is the scenario:

I'm using Spring Security 4.0.1, which has CSRF enabled by default, and everything was working OK until yesterday.

Yesterday I added Spring Security Tags, and the login (and other forms were working fine) but a special form stopped working.

This form is multipart because uploads two files, this form has the CSRF parameter but the server is returning :

HTTP Status 403 - Expected CSRF token not found. Has your session expired?

This is basically the form:

<form id="documentForm" class="card-panel" method="POST" enctype="multipart/form-data" action="<c:url value="/documents/signDocument?${_csrf.parameterName}=${_csrf.token}"/>">
  <input type="file" name="document"/>
  <input type="text" name="signer"/>
 </form>

Of course this is a completely cut-off version of the form, but notice the CSRF parameter is being sent through the action URL. And yes, I've tried putting the CSRF parameter in a hidden input with the same result.

On a side note, this form can be accessed as Anonymous User

Answers to

Expected CSRF token not found Spring Security

nr: #1 dodano: 2016-12-18 14:12

The exception you are facing is thrown in

org.springframework.security.web.csrf.CsrfFilter#doFilterInternal

Place a breakpoint there and you can see the expected csrf token for the current session, as well as the token received from header or request parameter.

This error may also happen, if the correct session was not found, or session cookie is wrong, so you may need to check for that also.

Source Show
◀ Wstecz