CSRF Issue Latest spring Version:An expected CSRF token cannot be found

[Debesh1234]

CSRF Issue Latest spring Version:An expected CSRF token cannot be found

Summary

WIth Spring security version 5 with below configuration and Passing X-XSRF-TOKEN in POST request am able to get proceed .

@OverRide
protected void configure(HttpSecurity http) throws Exception {
http
.exceptionHandling(handling -> handling.authenticationEntryPoint(userAuthenticationEntryPoint))
.addFilterBefore(new UsernamePasswordAuthFilter(userAuthenticationProvider), BasicAuthenticationFilter.class)
.addFilterBefore(new JwtAuthFilter(userAuthenticationProvider), UsernamePasswordAuthFilter.class)
.csrf(csrf -> csrf.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()))
.sessionManagement(management -> management.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authorizeRequests(requests -> requests
.antMatchers(HttpMethod.GET, "/v1/csrf").permitAll()
.antMatchers(HttpMethod.POST, "/v1/test").permitAll()
.antMatchers(HttpMethod.POST, "/v1/signIn", "/v1/signUp", "/test").permitAll()
.anyRequest().authenticated());
}

Passing X-XSRF-TOKEN in POST request am able to get proceed whereas ,

With Webflux

@bean
SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) throws Exception {

	http.csrf(csrf -> csrf.csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse()))
			.authorizeExchange(exchange -> exchange.anyExchange().permitAll());
	return http.build();
}

Keep on getting "An expected CSRF token cannot be found"

Actual Behavior

Expected Behavior

Configuration

Version

Sample

[marcusdacoregio]

Hi, @Debesh1234. CSRF support has gone through some changes between versions 5 and 6. The best place to start would be on the official documentation and maybe the migration docs.

I assume that you have a JavaScript client based on your configuration, so you might be interested in #14149.

I'll close this since it doesn't seem to be a bug, but, after you go through the documentation and apply the required changes, if the problem persists you can provide a minimal, reproducible sample and we can reopen this issue.

[Dbsahoo]

@marcusdacoregio I have a spring gateway service, that is getting invoked from Angular application,
My need to pass the token in header as X-XSRF-TOKEN to allow in subsequent calls, it always giving bi valid card token found

So which way need to pass the token to get success, pls provide some path to correctly implement

[marcusdacoregio]

@Dbsahoo In the previous comment, I linked the documentation that guides you on how to provide such implementation. Please, read it thoroughly and reach out to us if the options there do not fit your use case.

[sachinnirne]

I am also facing an issue with CSRF token, Even I have disabled the csrf in security class. When I am calling API through postman and I'm getting the same error: An expected CSRF token cannot be found.

Spring boot parent : 3.2.1
Spring cloud: 2023.0.0
Spring cloud gateway starter: 4.1.0
I am unable to understood from where this error is coming.
Could you please help on this?

[amaroofcba]

@sachinnirne Did you find the solution?

[towfiq-bK]

@sachinnirne Did you find the solution?

[alianrobyn]

package ua.com.reactive.reactive.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.server.SecurityWebFilterChain;

@Configuration
@EnableWebFluxSecurity
@EnableReactiveMethodSecurity
public class WebSecurityConfig {

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
//            return     NoOpPasswordEncoder.getInstance();
    }



    @Bean
    public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {

        return http
                .csrf(csrf -> csrf.disable())

                .formLogin(Customizer.withDefaults())
                .build();
    }

}

that worked for me