Upgrading Spring Security to 3.2.0.RELEASE no longer provides CSRF token in Spring taglib

Question

My project was using Spring Security 3.2.0.RC2 and my JSP's used the Spring taglib's form:form tag to automatically insert the CSRF token into my forms.

After upgrading to Spring Security 3.2.0.RELEASE, I'm finding that the form:form tag no longer automatically inserts the CSRF token into my form, and that I now must manually add it via placing this in my form: <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>

Has anyone else encountered the same issue? If so, what did you do for a workaround? Thanks.

Answer 1

You need to ensure you are using the @EnableWebMvcSecurity annotation instead of the @EnableWebSecurity annotation as described in Hello Spring MVC Security Java Config. The reason adding the new annotation was to resolve SEC-2436. You will notice that SEC-2463 was added to better document this within the CSRF part of the reference.