Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'

问题:

After configuring Spring Security 3.2, _csrf.token is not bound to a request or a session object.

This is the spring security config:

And it renders the next html:

The result is 403 HTTP status:

Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'. 

UPDATE After some debug, the request object gets out fine form DelegatingFilterProxy, but in the line 469 of CoyoteAdapter it executes request.recycle(); that erases all the attributes...

I test in Tomcat 6.0.36, 7.0.50 with JDK 1.7.

I have not understood this behavior, rather than, it would be possible if someone point me in the direction of some application sample war with Spring Security 3.2 that works with CSRF.

回答1:

It looks like the CSRF (Cross Site Request Forgery) protection in your Spring application is enabled. Actually it is enabled by default.

According to spring.io:

When should you use CSRF protection? Our recommendation is to use CSRF protection for any request that could be processed by a browser by normal users. If you are only creating a service that is used by non-browser clients, you will likely want to disable CSRF protection.

So to disable it:

@Configuration public class RestSecurityConfig extends WebSecurityConfigurerAdapter {   @Override   protected void configure(HttpSecurity http) throws Exception {     http.csrf().disable();   } } 

If you want though to keep CSRF protection enabled then you have to include in your form the csrftoken. You can do it like this:

   ....other fields here....   
 

You can even include the CSRF token in the form's action:

回答2:

Shouldn't you add to the login form?;

As stated in the here in the Spring security documentation

回答3:

if you will apply security="none" then no csrf token will be generated. page will not pass through security filter. Use role ANONYMOUS.

I have not gone in details, but it is working for me.

回答4:

Try to change this: to this : . It should disable csfr.

回答5:

I used to have the same problem.

Your config use security="none" so cannot generate _csrf:

you can set access="IS_AUTHENTICATED_ANONYMOUSLY" for page /login.jsp replace above config：

回答6:

With thymeleaf you may add:

回答7:

Spring documentation to disable csrf: https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html#csrf-configure

@EnableWebSecurity public class WebSecurityConfig extends WebSecurityConfigurerAdapter {     @Override    protected void configure(HttpSecurity http) throws Exception {       http.csrf().disable();    } } 

回答8:

i think csrf only works with spring forms

change to form:form tag and see it that works.

回答9:

Please see my working sample application on Github and compare with your set up.

回答10:

In your controller add the following:

@RequestParam(value = "_csrf", required = false) String csrf 

And on jsp page add

Neither one of the solutions worked form me. The only one that worked for me in Spring form is:
  
action="./upload?${_csrf.parameterName}=${_csrf.token}"
  
REPLACED WITH:
  
action="./upload?_csrf=${_csrf.token}"
  
(Spring 5 with enabled csrf in java configuration)
     

回答12:

I have used Spring 4.2.3 version jar for spring security but I got the same error. Then I downgraded to 3.1.4 and this work perfectly.

Here is my dependencies from pom.xml:

org.springframeworkspring-core3.2.3.RELEASEorg.springframeworkspring-beans3.2.3.RELEASEorg.springframeworkspring-context3.2.3.RELEASEorg.springframeworkspring-jdbc3.2.3.RELEASEorg.springframeworkspring-web3.2.3.RELEASEorg.springframeworkspring-webmvc3.2.3.RELEASEjavax.servletjstl1.2mysqlmysql-connector-java5.1.26javax.validationvalidation-api1.1.0.Finalorg.hibernatehibernate3.5.4-Finalpomorg.hibernatehibernate-validator5.0.1.Finalcommons-validatorcommons-validator1.4.0org.springframework.securityspring-security-core3.1.4.RELEASEorg.springframework.securityspring-security-web3.1.4.RELEASEorg.springframework.securityspring-security-config3.1.4.RELEASE

文章来源: Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'