HTTP State 403 - Expected CSRF Token not found. Did your session expire?

advertisements

I'm using spring security 4.0.1. As soon as I login, it displays my dashboard. When I click on something it gives me the following error page:

HTTP Status 403 - Expected CSRF token not found. Has your session expired?

I've done some research on it and it says I need to add this http.csrf().disable(). I'm not able to add it since it tells me that the method and is undefined for the type httpsecurity.

Please find below the configuration code:

 @Configuration
 @EnableWebSecurity
 public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    @Qualifier("userDetailsServiceImpl")
    UserDetailsService userDetailsService;

    @Autowired
    SuccessHandler successHandler;

    @Autowired
    FailureHandler failureHandler;

    @Autowired
     public void configureGlobalSecurity(AuthenticationManagerBuilder auth)   throws Exception {
    ShaPasswordEncoder encoder = new ShaPasswordEncoder();
    auth.userDetailsService(userDetailsService).passwordEncoder(encoder);
    }

@Override
protected void configure(HttpSecurity http) throws Exception {

  http.authorizeRequests()
    .antMatchers("/login.xhtml").permitAll()
    .antMatchers("/pages/**").access("isAuthenticated()")
    .antMatchers("/run**").access("isAuthenticated()")
    .and().formLogin().loginProcessingUrl("/login").loginPage("/login.xhtml")
    .successHandler(successHandler)
    .failureHandler(failureHandler).defaultSuccessUrl("/pages/dashboard.xhtml")
    .usernameParameter("username")
    .passwordParameter("password")
    .and().sessionManagement().maximumSessions(2).maxSessionsPreventsLogin(true);
  }
 }

Login.xhtml

  <!DOCTYPE html>
  <f:view>
   <h:head>
    <meta http-equiv="content-type" content="text/html; charset=UTF-8" />
    </script><script src="js/jquery-1.js"></script>
    <script src="js/adpacks-demo.js" type="text/javascript"></script>
    <script src="js/bsa.js" type="text/javascript"></script>

   </h:head>
<h:body>
    <form id="login" action='#{request.contextPath}/login' method='POST'>
        <h1>Log In</h1>
        <fieldset id="inputs">
            <input id="username" type="text" name="username" placeholder="Username" />
            <input id="password" type="password" name="password" placeholder="Password" />
        </fieldset>
        <fieldset id="actions">
            <input type="hidden" name="${_csrf.parameterName}"  value="${_csrf.token}" />
            <input id="submit" value="Log in" type="submit"  /><a href="">Forgot your password?</a>
        </fieldset>
    </form>
</h:body>

MyConfiguration.java

  @Configuration
  @EnableWebMvc
  @ComponentScan(basePackages = "com.car")
  public class MyConfiguration extends WebMvcConfigurerAdapter {

@Bean(name="HelloWorld")
public ViewResolver viewResolver() {
    InternalResourceViewResolver viewResolver = new InternalResourceViewResolver();
    viewResolver.setViewClass(JstlView.class);
    viewResolver.setPrefix("/web-inf");
    viewResolver.setSuffix(".xhtml");

    return viewResolver;
}

/*
 * Configure ResourceHandlers to serve static resources like CSS/ Javascript etc...
 */
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
    registry.addResourceHandler("/webapp/**").addResourceLocations("/webapp/");
}

}

SecurityWebApplicationInitializer.java

  public class SecurityWebApplicationInitializer extends   AbstractSecurityWebApplicationInitializer {

  }

AppConfig.java

   @Configuration
   public class AppConfig {
   @Bean
   public SuccessHandler successHandler() {
       return new SuccessHandler();
   }

   @Bean
   public FailureHandler failureHandler() {
       return new FailureHandler();
    }
    }

Web.xml

   <?xml version="1.0" encoding="UTF-8"?>
   <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"       xmlns="http://java.sun.com/xml/ns/javaee"    xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee   http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">

 <context-param>
      <param-name>javax.faces.DEFAULT_SUFFIX</param-name>
      <param-value>.xhtml</param-value>
 </context-param>

 <context-param>
    <param-name>javax.faces.VALIDATE_EMPTY_FIELDS</param-name>
    <param-value>false</param-value>
 </context-param>

 <welcome-file-list>
    <welcome-file>login.xhtml</welcome-file>
 </welcome-file-list>
 <servlet>
    <servlet-name>Faces Servlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
 </servlet>
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.xhtml</url-pattern>
</servlet-mapping>

 <context-param>
      <param-name>com.sun.faces.expressionFactory</param-name>
      <param-value>com.sun.el.ExpressionFactoryImpl</param-value>
 </context-param>

<servlet>
    <description>generated-servlet</description>
    <servlet-name>CAR Servlet</servlet-name>
    <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    <init-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>classpath:CAR-web-context.xml</param-value>
    </init-param>
    <load-on-startup>1</load-on-startup>
</servlet>

<listener>
    <listener-class>
        org.springframework.security.web.session.HttpSessionEventPublisher
    </listener-class>
</listener>
<listener>
    <listener-class>
        org.springframework.web.context.request.RequestContextListener</listener-class>
</listener>
<listener>
    <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>

<filter>
    <description>
        generated-spring-security-session-integration-filter
    </description>
    <filter-name>SpringSecuritySessionIntegrationFilter</filter-name>
    <filter-class>
        org.springframework.security.web.context.SecurityContextPersistenceFilter</filter-class>
</filter>
<filter>
    <description>generated-persistence-filter</description>
    <filter-name>CARFilter</filter-name>
    <filter-class>
        org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter</filter-class>
    <init-param>
        <param-name>entityManagerFactoryBeanName</param-name>
        <param-value>CAR</param-value>
    </init-param>
</filter>
<filter>
    <description>generated-sitemesh-filter</description>
    <filter-name>Sitemesh Filter</filter-name>
    <filter-class>com.opensymphony.module.sitemesh.filter.PageFilter</filter-class>
</filter>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    <init-param>
        <param-name>contextAttribute</param-name>
        <param-value>org.springframework.web.servlet.FrameworkServlet.CONTEXT.dispatcher‌​</param-value>
    </init-param>
</filter>

<filter-mapping>
    <filter-name>SpringSecuritySessionIntegrationFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
    <filter-name>HRBFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
    <filter-name>Sitemesh Filter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<persistence-unit-ref>
    <persistence-unit-ref-name>persistence/CAR</persistence-unit-ref-name>
    <persistence-unit-name>CAR</persistence-unit-name>
  </persistence-unit-ref>

  <persistence-context-ref>
    <persistence-context-ref-name>persistence/CAR</persistence-context-ref-name>
    <persistence-unit-name>CAR</persistence-unit-name>
</persistence-context-ref>

</web-app>

Pom.xml

 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">

<properties>
    <spring.version>4.0.2.RELEASE</spring.version>
    <spring.security.version>3.2.5.RELEASE</spring.security.version>
</properties>

<dependencies>

    <dependency>
        <groupId>org.springframework.security.oauth</groupId>
        <artifactId>spring-security-oauth2</artifactId>
        <version>2.0.7.RELEASE</version>
    </dependency> 

    <dependency>
        <groupId>junit</groupId>
        <artifactId>junit</artifactId>
        <version>3.8.1</version>
        <scope>test</scope>
    </dependency>

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-aspects</artifactId>
        <version>${spring.version}</version>
    </dependency>

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-instrument</artifactId>
        <version>${spring.version}</version>
    </dependency>

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-instrument-tomcat</artifactId>
        <version>${spring.version}</version>
    </dependency>

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-tx</artifactId>
        <version>${spring.version}</version>
    </dependency>

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-jms</artifactId>
        <version>${spring.version}</version>
    </dependency>

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-oxm</artifactId>
        <version>${spring.version}</version>
        <exclusions>
            <exclusion>
                <groupId>commons-lang</groupId>
                <artifactId>commons-lang</artifactId>
            </exclusion>
        </exclusions>
    </dependency>

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-web</artifactId>
        <version>${spring.version}</version>
    </dependency>

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-webmvc-portlet</artifactId>
        <version>${spring.version}</version>
    </dependency>

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-struts</artifactId>
        <version>3.1.1.RELEASE</version>
        <exclusions>
            <exclusion>
                <groupId>xalan</groupId>
                <artifactId>xalan</artifactId>
            </exclusion>
            <exclusion>
                <groupId>oro</groupId>
                <artifactId>oro</artifactId>
            </exclusion>
            <exclusion>
                <groupId>commons-digester</groupId>
                <artifactId>commons-digester</artifactId>
            </exclusion>
        </exclusions>
    </dependency>

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-core</artifactId>
        <version>${spring.version}</version>
    </dependency>
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-beans</artifactId>
        <version>${spring.version}</version>
    </dependency>

    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-context</artifactId>
        <version>${spring.version}</version>
    </dependency>
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-context-support</artifactId>
        <version>${spring.version}</version>
    </dependency>

    <dependency>   <!-- Usata da Hibernate 4 per LocalSessionFactoryBean -->
        <groupId>org.springframework</groupId>
        <artifactId>spring-orm</artifactId>
        <version>3.1.0.RELEASE</version>
    </dependency>

    <dependency>
        <groupId>org.aspectj</groupId>
        <artifactId>aspectjweaver</artifactId>
        <version>1.6.9</version>
    </dependency>

    <dependency>
        <groupId>cglib</groupId>
        <artifactId>cglib-nodep</artifactId>
        <version>2.2</version>
    </dependency>

    <dependency>
        <groupId>commons-pool</groupId>
        <artifactId>commons-pool</artifactId>
        <version>1.5.3</version>
    </dependency>

    <dependency>
        <groupId>commons-collections</groupId>
        <artifactId>commons-collections</artifactId>
        <version>3.2</version>
    </dependency>

    <dependency>
        <groupId>commons-httpclient</groupId>
        <artifactId>commons-httpclient</artifactId>
        <version>3.1</version>
    </dependency>

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-core</artifactId>
        <version>${spring.security.version}</version>
        <exclusions>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-aop</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-expression</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-context</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-beans</artifactId>
            </exclusion>

            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-core</artifactId>
            </exclusion>

        </exclusions>
    </dependency>

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-web</artifactId>
        <version>${spring.security.version}</version>
        <exclusions>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-core</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-tx</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-web</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-aop</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-jdbc</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-context</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-beans</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-expression</artifactId>
            </exclusion>
        </exclusions>
    </dependency>

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-acl</artifactId>
        <version>${spring.security.version}</version>
        <exclusions>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-aop</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-jdbc</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-context</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-core</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-tx</artifactId>
            </exclusion>
        </exclusions>
    </dependency>

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-aspects</artifactId>
        <version>${spring.security.version}</version>
        <exclusions>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-beans</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-context</artifactId>
            </exclusion>
            <exclusion>
                <groupId>org.springframework</groupId>
                <artifactId>spring-core</artifactId>
            </exclusion>
        </exclusions>
    </dependency>

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-cas</artifactId>
        <version>${spring.security.version}</version>
    </dependency>

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-config</artifactId>
        <version>${spring.security.version}</version>
    </dependency>

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-ldap</artifactId>
        <version>${spring.security.version}</version>
    </dependency>

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-openid</artifactId>
        <version>${spring.security.version}</version>
        <exclusions>
            <exclusion>
                <groupId>com.google.inject</groupId>
                <artifactId>guice</artifactId>
            </exclusion>
        </exclusions>
    </dependency>

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-remoting</artifactId>
        <version>${spring.security.version}</version>
    </dependency>

    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-taglibs</artifactId>
        <version>${spring.security.version}</version>
    </dependency>

</project>


http.csrf().disable(); should be added in your class public class SecurityConfiguration extends WebSecurityConfigurerAdapter

@Override
protected void configure(HttpSecurity http) throws Exception {

    http.authorizeRequests()
        .antMatchers("/login.xhtml").permitAll()
        .antMatchers("/pages/**").access("isAuthenticated()")
        .antMatchers("/run**").access("isAuthenticated()")
        .and().formLogin().loginProcessingUrl("/login").loginPage("/login.xhtml")
        .successHandler(successHandler)
        .failureHandler(failureHandler).defaultSuccessUrl("/pages/dashboard.xhtml")
        .usernameParameter("username")
        .passwordParameter("password")
        .and().sessionManagement().maximumSessions(2).maxSessionsPreventsLogin(true);

    http.csrf().disable();
  }
 }

http.csrf().disable() is supported in spring security 4.0.1 (I have look at 3.2.3 doc, and it is already there Class HttpSecurity)

I think there is something wrong in your configuration setting.
Please post all the related code. e.g. build.gradle for Gradle or pom.xml for Maven, web.xml, all spring configuration code, etc