Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Spring security csrf is null

Tags:

jsp

csrf

spring-security

I have login form and I want to protect it against csrf atacks.

My spring-security.xml

<sec:http auto-config="true" use-expressions="true">
    ...
    <sec:csrf />
</sec:http>

My jsp-file (use tiles):

<form class="navbar-form navbar-right form-inline" method="POST" role="form"
  action="j_spring_security_check">
  <div class="form-group">
    <input class="form-control" type="email" name="j_username">
  </div>
  <div class="form-group">
    <input class="form-control" type="password" name="j_password">
  </div>
  <button class="btn btn-default" type="submit">Login</button>

  <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}">
</form>

I can authorize, but csrf is empty:

<input type="hidden" value="" name="">

Can anyone help me?

like image 240
Mufanu Avatar asked Jan 15 '14 20:01

Mufanu

People also ask

How do I enable CSRF token in Spring Security?

3.1 Enabling CSRF Token in Spring Securitydisable() in your Spring security config class. With default setup, if you look at the source code of the page, you will see the _csrf parameter being added automatically to the form by Spring security.

How does CSRF work in Spring Security?

To protect MVC applications, Spring adds a CSRF token to each generated view. This token must be submitted to the server on every HTTP request that modifies state (PATCH, POST, PUT and DELETE — not GET). This protects our application against CSRF attacks since an attacker can't get this token from their own page.

How do I know if CSRF is enabled?

Automated Tools for CSRF testingBright's CSRF test first checks if there is any CSRF protection implemented, by checking if the target has “Access-Control-Allow-Origin” header misconfiguration or missing “Origin” header.

Why do we disable CSRF in spring boot?

What is the reason to disable csrf in a Spring Boot application? You are using another token mechanism. You want to simplify interactions between a client and the server.

1 Answers

if you will apply security="none" then no csrf token will be generated. page will not pass through security filter. Use role ANONYMOUS.

I have not gone in details, but it is working for me.

<http auto-config="true" use-expressions="true">
    <intercept-url pattern="/login.jsp" access="hasRole('ANONYMOUS')" />
    <!-- you configuration -->
</http>
like image 79
Awanish Kumar Avatar answered Sep 28 '22 15:09

Awanish Kumar
Sign in to Comment

Related questions

Load properties file in Servlet/JSP [duplicate]
Regular expression to remove special characters in JSTL tags
Spring MVC <form:errors/> tag doesn't find error messages
auto populating struts2 checkboxes from database
Tracking user activity on window opened by window.open() method
Oracle SSO URL regex to exclude if URL has an specific param
setting height and width of BIRT viewer dynamically based on contents
Spring Security alters request URI
Eclipse JSP preview
performance difference between <c:import url="child.jsp" /> and <jsp:include ...>
Pass basic authentication without prompting login box from browser in JSP frames

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!