With Spring Security 3.2.0.RELEASE, how can I get the CSRF token in a page that is purely HTML with no tag libs

by

You can obtain the CSRF using the request attribute named _csrf as outlined in the reference. To add the CSRF to an HTML page, you will need to use JavaScript to obtain the token that needs to be included in the requests.

It is safer to return the token as a header than in the body as JSON since JSON in the body could be obtained by external domains. For example your JavaScript could request a URL processed by the following:

CsrfToken token = (CsrfToken) request.getAttribute("_csrf");
// Spring Security will allow the Token to be included in this header name
response.setHeader("X-CSRF-HEADER", token.getHeaderName());
// Spring Security will allow the token to be included in this parameter name
response.setHeader("X-CSRF-PARAM", token.getParameterName());
// this is the value of the token to be included as either a header or an HTTP parameter
response.setHeader("X-CSRF-TOKEN", token.getToken());

Your JavaScript would then obtain the header name or the parameter name and the token from the response header and add it to the login request.

More Related Contents:

  1. Spring Boot Security CORS
  2. Handle spring security authentication exceptions with @ExceptionHandler
  3. How do I get the Session Object in Spring?
  4. Spring Boot CORS filter – CORS preflight channel did not succeed
  5. Spring Security exclude url patterns in security annotation configurartion
  6. Spring Security 3.2 CSRF support for multipart requests
  7. Spring Security configuration: HTTP 403 error
  8. Spring + Web MVC: dispatcher-servlet.xml vs. applicationContext.xml (plus shared security)
  9. getting exception: No bean named ‘springSecurityFilterChain’ is defined
  10. Multiple antMatchers in Spring security
  11. An Authentication object was not found in the SecurityContext – Spring 3.2.2
  12. Spring Security 3.2 CSRF disable for specific URLs
  13. Looking for a Simple Spring security example [closed]
  14. Spring security 4 custom login j_spring_security_check return http 302
  15. Is it possible to invalidate a spring security session?
  16. Filter invoke twice when register as Spring bean
  17. Spring Boot not serving static content
  18. When using Spring Security, what is the proper way to obtain current username (i.e. SecurityContext) information in a bean?
  19. How to disable spring security for particular url
  20. How Spring Security Filter Chain works
  21. How to use OAuth2RestTemplate?
  22. When use ResponseEntity and @RestController for Spring RESTful applications
  23. How to enable HTTP response caching in Spring Boot
  24. Send datas from html to controller in Thymeleaf?
  25. Spring HandlerInterceptor vs Servlet Filters
  26. SpringServletContainerInitializer cannot be cast to javax.servlet.ServletContainerInitializer
  27. Scope of a Spring-Controller and its instance-variables
  28. Spring Boot: How to specify the PasswordEncoder?
  29. Spring: @ModelAttribute VS @RequestBody
  30. Spring HandlerMethodArgumentResolver not executing

Leave a Comment