I am migrating from struts to spring migration. Since I am working on latest spring version 4.3 and we decided to go with CSRF protection for our application. On our JSP page we have two tabs both clickable with http get methods to call spring controller. Each tab has multiple links and buttons. After the get call If I do any action on the page for example click of a button which does post call to controller. I am getting 403 forbidden with message "Expected CSRF token not found. Has your session expired?" .
In Firefox developer tools post call form data I could see _csrf with token being passed. Response header says x-frame-opitons: Deny. I am suspecting the previous call HTTP GET which is on selecting the tab causing the issue. Do we need to pass csrf token for http GET methods as well ? any help ?
As I said I was working on migration project, for every call existing code they are cleaning session attributes in one of utility method. Though I am sending token in each request because of session cleaning in utility method my token is being compared with null value. Hence it was throwing error "Expected CSRF token not found. Has your session expired".
Now it is resolved. Thank you.