Search code examples
springspring-securitycsrfspring-security4

Upgraded to Spring Security 4 and now I'm unable to login

I just upgraded to Spring Security 4.2.3.RELEASE and now I can't login. Specifically, when I login, submitting these parameters

OWASP_CSRFTOKEN ZLCK-J3VV-OJTK-8GZW-H68V-C8N6-CE6G-U6AQ
j_password aaa
j_username mouser

I get the error

Could not verify the provided CSRF token because your session was not found.

You can clearly see from the above it is there. Below is my Spring security configuration. What else do I need to check to get this working?

<beans:bean id="mycoUsernamePasswordUrlAuthenticationFilter"
    class="org.collegeboard.myco.core.security.mycoUsernamePasswordUrlAuthenticationFilter">
    <beans:property name="filterProcessesUrl" value="/j_spring_security_check" />
    <beans:property name="authenticationManager" ref="authenticationManager" />
    <beans:property name="authenticationFailureHandler">
        <beans:bean
            class="org.springframework.security.web.authentication.ExceptionMappingAuthenticationFailureHandler">
            <beans:property name="defaultFailureUrl" value="/login/failure" />
            <beans:property name="exceptionMappings" ref="exceptionMappings" />
        </beans:bean>
    </beans:property>
    <beans:property name="authenticationSuccessHandler">
        <beans:bean
            class="org.collegeboard.myco.security.mycoAuthenticationSuccessHandler">
            <beans:property name="defaultTargetUrl" value="/authenticate" />
            <beans:property name="sessionService" ref="sessionService" />
        </beans:bean>
    </beans:property>
</beans:bean> 

...     
<beans:bean id="loginUrlAuthenticationEntryPoint"
    class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    <beans:constructor-arg name="loginFormUrl" value="/login" />
</beans:bean>


<http name="defaultSecurity" security-context-repository-ref="mycoSecurityContextRepository"
    auto-config="false" use-expressions="true" authentication-manager-ref="authenticationManager"
    entry-point-ref="loginUrlAuthenticationEntryPoint">
    <!-- <access-denied-handler error-page="/denied"/> -->
    <custom-filter position="FORM_LOGIN_FILTER"
        ref="mycoUsernamePasswordUrlAuthenticationFilter" />
    <intercept-url pattern="/lti/launch" access="permitAll" />
    <intercept-url pattern="/login" access="permitAll" />
    <intercept-url pattern="/status" access="permitAll" />
    <intercept-url pattern="/termsOfUse" access="permitAll" />
    <intercept-url pattern="/privacyPolicy" access="permitAll" />
    <intercept-url pattern="/contactUs" access="permitAll" />
    <intercept-url pattern="/legal" access="permitAll" />
    <intercept-url pattern="/logout" access="permitAll" />
...
    <intercept-url pattern="/dwrsetcookie" access="isFullyAuthenticated()" />
    <intercept-url pattern="/dwrpageid" access="permitAll" />
    <logout invalidate-session="true" logout-success-url="/logout" logout-url="/j_spring_security_logout" />
</http>

<authentication-manager alias="authenticationManager" id="authenticationManager">
    <authentication-provider user-service-ref="sbdUserDetailsService">
        <password-encoder ref="passwordEncoder" />
    </authentication-provider>
</authentication-manager>
Solution

  • Try to add the below CSRF input to your login jsp,

    <input type="hidden" name="${_csrf.parameterName}"value="${_csrf.token}"/>

    Or disable CSRF by adding the below to http tag

    <csrf disabled="true"/>