Menu
I have login form and I want to protect it against csrf atacks.
My spring-security.xml
<sec:http auto-config="true" use-expressions="true">
...
<sec:csrf />
</sec:http>
My jsp-file (use tiles):
<form class="navbar-form navbar-right form-inline" method="POST" role="form"
action="j_spring_security_check">
<div class="form-group">
<input class="form-control" type="email" name="j_username">
</div>
<div class="form-group">
<input class="form-control" type="password" name="j_password">
</div>
<button class="btn btn-default" type="submit">Login</button>
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}">
</form>
I can authorize, but csrf is empty:
<input type="hidden" value="" name="">
Can anyone help me?
240
3.1 Enabling CSRF Token in Spring Securitydisable() in your Spring security config class. With default setup, if you look at the source code of the page, you will see the _csrf parameter being added automatically to the form by Spring security.
To protect MVC applications, Spring adds a CSRF token to each generated view. This token must be submitted to the server on every HTTP request that modifies state (PATCH, POST, PUT and DELETE — not GET). This protects our application against CSRF attacks since an attacker can't get this token from their own page.
Automated Tools for CSRF testingBright's CSRF test first checks if there is any CSRF protection implemented, by checking if the target has “Access-Control-Allow-Origin” header misconfiguration or missing “Origin” header.
What is the reason to disable csrf in a Spring Boot application? You are using another token mechanism. You want to simplify interactions between a client and the server.
if you will apply security="none" then no csrf token will be generated. page will not pass through security filter. Use role ANONYMOUS.
I have not gone in details, but it is working for me.
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login.jsp" access="hasRole('ANONYMOUS')" />
<!-- you configuration -->
</http>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
