I have a web application which uses Spring Security, version 4.0.1 and Spring version 4.1.6.
In every page of the web app I have the
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
parameter which sends the CSRF token to the server. Now my problem is that if I see the source code of the jsp I have
<input type="hidden" name="" value=""/>
so the token is not sent to the server and the post action results in the message HTTP Status 405 - Request method 'POST' not supported
If I deploy the same web application on Tomcat 7.0.5.x everything works fine, and it also works fine in WAS 7, WAS 8.5 and Jboss EAP 6.4.
I can not understand why on this version of Tomcat (7.0.28), which I downloaded from the web site without changing anything about configuration etc. , the CSRF protection offered by Spring Security is not working.
I faced the same problem: Tomcat 7.0.28 is not able to auto detect spring security filter.
My solution is to add this :
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
to the web.xml and try again.