Skip to content

CSRF Issue Latest spring Version:An expected CSRF token cannot be found #14151

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Debesh1234 opened this issue Nov 16, 2023 · 7 comments
Closed

CSRF Issue Latest spring Version:An expected CSRF token cannot be found #14151

Debesh1234 opened this issue Nov 16, 2023 · 7 comments
Assignees
@marcusdacoregio
Labels
status: invalid An issue that we don't feel is valid

Comments

@Debesh1234
Copy link

Debesh1234 commented Nov 16, 2023
edited
Loading

CSRF Issue Latest spring Version:An expected CSRF token cannot be found

Summary

WIth Spring security version 5 with below configuration and Passing X-XSRF-TOKEN in POST request am able to get proceed .

@OverRide
protected void configure(HttpSecurity http) throws Exception {
http
.exceptionHandling(handling -> handling.authenticationEntryPoint(userAuthenticationEntryPoint))
.addFilterBefore(new UsernamePasswordAuthFilter(userAuthenticationProvider), BasicAuthenticationFilter.class)
.addFilterBefore(new JwtAuthFilter(userAuthenticationProvider), UsernamePasswordAuthFilter.class)
.csrf(csrf -> csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()))
.sessionManagement(management -> management.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authorizeRequests(requests -> requests
.antMatchers(HttpMethod.GET, "/v1/csrf").permitAll()
.antMatchers(HttpMethod.POST, "/v1/test").permitAll()
.antMatchers(HttpMethod.POST, "/v1/signIn", "/v1/signUp", "/test").permitAll()
.anyRequest().authenticated());
}

Passing X-XSRF-TOKEN in POST request am able to get proceed whereas ,

With Webflux

@bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {

	http.csrf(csrf -> csrf.csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse()))
			.authorizeExchange(exchange -> exchange.anyExchange().permitAll());
	return http.build();
}

Keep on getting "An expected CSRF token cannot be found"

Actual Behavior

Expected Behavior

Configuration

Version

Sample
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Nov 16, 2023
@marcusdacoregio
Copy link
Contributor

Hi, @Debesh1234. CSRF support has gone through some changes between versions 5 and 6. The best place to start would be on the official documentation and maybe the migration docs.

I assume that you have a JavaScript client based on your configuration, so you might be interested in #14149.

I'll close this since it doesn't seem to be a bug, but, after you go through the documentation and apply the required changes, if the problem persists you can provide a minimal, reproducible sample and we can reopen this issue.

@marcusdacoregio marcusdacoregio self-assigned this Nov 16, 2023
@marcusdacoregio marcusdacoregio added status: invalid An issue that we don't feel is valid and removed status: waiting-for-triage An issue we've not yet triaged labels Nov 16, 2023
@Dbsahoo
Copy link

Dbsahoo commented Nov 16, 2023

@marcusdacoregio I have a spring gateway service, that is getting invoked from Angular application,
My need to pass the token in header as X-XSRF-TOKEN to allow in subsequent calls, it always giving bi valid card token found

So which way need to pass the token to get success, pls provide some path to correctly implement

@marcusdacoregio
Copy link
Contributor

@Dbsahoo In the previous comment, I linked the documentation that guides you on how to provide such implementation. Please, read it thoroughly and reach out to us if the options there do not fit your use case.

@sachinnirne
Copy link

I am also facing an issue with CSRF token, Even I have disabled the csrf in security class. When I am calling API through postman and I'm getting the same error: An expected CSRF token cannot be found.

Spring boot parent : 3.2.1
Spring cloud: 2023.0.0
Spring cloud gateway starter: 4.1.0
I am unable to understood from where this error is coming.
Could you please help on this?

@amaroofcba
Copy link

@sachinnirne Did you find the solution?

@towfiq-bK
Copy link

@sachinnirne Did you find the solution?

@alianrobyn
Copy link

alianrobyn commented Oct 18, 2024
edited
Loading 

package ua.com.reactive.reactive.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.server.SecurityWebFilterChain;

@Configuration
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
public class WebSecurityConfig {

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
//            return     NoOpPasswordEncoder.getInstance();
    }



    @Bean
    public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {

        return http
                .csrf(csrf -> csrf.disable())

                .formLogin(Customizer.withDefaults())
                .build();
    }

}

that worked for me

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marcusdacoregio marcusdacoregio

Labels
status: invalid An issue that we don't feel is valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@marcusdacoregio @sachinnirne @spring-projects-issues @Dbsahoo @Debesh1234 @towfiq-bK @alianrobyn @amaroofcba