${_csrf.parameterName} and ${_csrf.token} coming empty in login form. I am using Spring 4.1.3 and Spring Security 3.2.5
All the configurations are made correctly but still i am getting
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
as
<input type="hidden" name="" value=""/>
To protect MVC applications, Spring adds a CSRF token to each generated view. This token must be submitted to the server on every HTTP request that modifies state (PATCH, POST, PUT and DELETE — not GET). This protects our application against CSRF attacks since an attacker can't get this token from their own page.
As of Spring Security 4.0, CSRF protection is enabled by default with XML configuration.
A couple of ways you can test it: Open the developer tools in your browser find the input element for the CSRF token and edit the token value. Trigger a POST submission. This should cause an error, HTTP status 403 typically.
I found the answer, i placed the security filter tags in web.xml at top of any other filters and it worked.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With