InvalidCsrfTokenException when submitting a form - spring

I'm working in a spring based web application (version 4.1.6.RELEASE, spring security 4.0.0.RELEASE) and I'm getting the error InvalidCsrfTokenException: Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'. after submitting a form (POST method). According to the spring's documentation "Spring Security automatically inserts a CSRF form field for any <form:form> tags you use", so why I'm getting this exception?
Thanks in advance.
This is my spring security configuration:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<http use-expressions="true" disable-url-rewriting="true">
<headers>
<frame-options/>
<xss-protection/>
<hsts/>
</headers>
<csrf/>
<intercept-url pattern="/welcome" access="isAuthenticated()" />
<!-- some others urls to intercept -->
<form-login login-page="/login" default-target-url="/welcome"
authentication-failure-url="/loginfailed" />
<logout logout-success-url="/logout" />
<session-management>
<concurrency-control max-sessions="1" expired-url="/login" />
</session-management>
</http>
And this is the definition of my form (excluding the fields it contains):
<form:form action="myaction" method="post" enctype="multipart/form-data" id="formId" modelAttribute="myBean">
</form:form>
Any help will be appreciated

The issue is arising because you are using a multi-part form. Please see the accepted answer here:
Spring CSRF token does not work, when the request to be sent is a multipart request

Related

Console errors when refreshing login page after upgrading to JSF 2.2 and RF 4.5.7

I have recently upgraded a web application from JSF 1.2 to JSF 2.2 as well as RF 3.3.3 to RF 4.5.7. I'm currently experiencing console errors when loading the first login.html page. This only happens when either the page is first loaded or when I refresh (F5 or shift F5). When I log in and log out again I don't receive these errors! The URL is exactly the same, e.g. host:port/xxx/login.html
This issue only occurs on this page. I'm using Spring (3.1.0) for the login although not sure if the issue is related. Security config in applicationContext.xml is:
<sec:http auto-config='true' pattern="/login.html*" security="none"/>
<sec:http pattern="/a4j/**" security="none"/>
<sec:http pattern="/css/**" security="none"/>
<sec:http pattern="/img/**" security="none"/>
<sec:http realm="Name goes here">
<sec:form-login login-processing-url="/j_spring_security_check"
login-page="/login.html"
authentication-failure-url="/login.html?fail"
default-target-url="/main.html"
always-use-default-target="true"/>
<sec:logout logout-url="/logout.html"/>
<sec:intercept-url pattern="/**" access="ROLE_USER"/>
</sec:http>
and in login.xhtml:
<form id="frm-login" action="j_spring_security_check" method="post">
<label class="above">Username<h:inputText id="j_username" /></label>
<rich:jQuery selector="#j_username" query="focus()"/><br/>
<label class="above">Password<h:inputSecret id="j_password" /></label><br/>
<h:commandButton id="submit" name="submit" type="submit" value="Login"> </h:commandButton>
</form>
Before the upgrade this was fine. Using Firebug I have compared the generated HTML between the times where I see console errors and times I don't.
Bad
Good
I believe I have applied all necessary updates such as removing old jar files (including removal of redundant Facelets 1.1.14, view handler references), updating RF code, XHTML page code and namespaces as well as web.xml and faces-config.xml updates.
One thing I do know is that when I comment out the following config I do not receive the error. So somehow this is interfering with the loading of resources on this page.
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
<dispatcher>INCLUDE</dispatcher>
</filter-mapping>
Any ideas how to resolve this? Apologies in advance if I have missed some vital information required in helping resolve this.
UPDATE 1:
Images taken when loading page using Network tab on google chrome:
Bad
Good
UPDATE 2:
Good
Bad
Ok I found it (with some helpful pointers from BallusC). After the upgrade I had to update the security config in applicationContext.xml as follows:
<sec:http auto-config='true' pattern="/login.html*" security="none"/>
<sec:http pattern="/a4j/**" security="none"/>
<sec:http pattern="/css/**" security="none"/>
<sec:http pattern="/img/**" security="none"/>
<sec:http realm="name goes here">
<sec:form-login login-processing-url="/j_spring_security_check"
login-page="/login.html"
authentication-failure-url="/login.html?fail"
default-target-url="/main.html"
always-use-default-target="true"/>
<sec:logout logout-url="/logout.html"/>
<sec:intercept-url pattern="/login.html*" access="ROLE_USER"/>
<sec:intercept-url pattern="/a4j/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/css/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<sec:intercept-url pattern="/img/**" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
</sec:http>
The root cause of my issue above was having the following entry in applicationContext.xml:
<sec:intercept-url pattern="/**" access="ROLE_USER"/>

wrong credentials should response with some custom message rather than redirecting to some link

I have a spring security application. Its working well. When I enter wrong credentials it redirect to spring_security_login?login_error where it show spring default login page. What I want is if user enter wrong credentials its should response with some custom message rather than redirecting to some link.
Here is my config
<http auto-config="true">
<form-login
username-parameter="username"
password-parameter="password" />
<csrf/>
</http>
If you just want to redirect the user to a custom URL use the authentication-failure-url attribute of <form-login>:
<http auto-config="true">
<form-login
authentication-failure-url="/myCustomLoginFailureURL"
username-parameter="username"
password-parameter="password" />
<csrf/>
</http>
If you want full control over what happens on login failures, use the authentication-failure-handler-ref attribute:
<beans:bean id="authenticationFailureHandler" class="my.company.AuthenticationFailureHandler" />
<http auto-config="true">
<form-login
authentication-failure-handler-ref="authenticationFailureHandler"
username-parameter="username"
password-parameter="password" />
<csrf/>
</http>
Note that my.company.AuthenticationFailureHandler needs to implement org.springframework.security.web.authentication.AuthenticationFailureHandler.

SaxParseException when trying to set security="none" in URL interceptor

I am trying to ignore security checking (it gets its own encryption setting) on one of the URLs within current Spring application, by using
<sec:intercept-url pattern="/notimportant/url**" security="none" />
but I get
nested exception is org.xml.sax.SAXParseException: cvc
-complex-type.3.2.2: Attribute 'security' is not allowed to appear in element
'sec:intercept-url'.
Here is the namespace setting:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:sec="http://www.springframework.org/schema/security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
So how can I avoid authentication for that url exactly
Try it with filters="none" instead of security="none".
<sec:intercept-url pattern="/notimportant/url**" filters="none" />
This is deprecated in Spring 3.1, though, so you can try this
<sec:http pattern="/notimportant/url**" security="none"/>
Check out the documentation for more details.
That's because security is not a valid attribute for element intercept-url. Try with access="IS_AUTHENTICATED_ANONYMOUSLY", like this:
<sec:intercept-url pattern="/notimportant/url**" access="IS_AUTHENTICATED_ANONYMOUSLY" />

POST to login-processing-url yields HTTP/404

Env:
Spring 3.1.3
Spring security: 3.1.3
Spring ldap: 1.3.1
JDK1.6
Problem:
I get a 404 on my login-processing-url.
Details:
I have three http intercept blocks: a public one, the second one used to intercept and
secure URLs for admins (uses authentication manager 1) and the third one for regular users
(uses authentication manager 2).
When the login form in http intercept block 1 post the credentials to the login-processing-url of the form login, it yields 404. I do mot get this - since the form login
announces the login-processing-url, shouldn't that filter chain recognize that URL?
Also, shluld I explicitly do "permitAll" on the login-processing-url of a form or is that
automagically done under the covers?
Lastly, is it problematic to have distinct http interceptor blocks to have distinct
login-processing-urls? (I cannot see why - but I ask anyways).
Configs:
Spring security configuration:
//...
<debug />
<global-method-security secured-annotations="enabled" />
<http pattern="/public/**" security="none"/>
<http use-expressions="true" pattern="/protected/x/support/**" authentication-manager-ref="lAdminAuthManager">
<intercept-url pattern="/protected/x/support/**" access="hasRole('ROLE_ADMIN')"/>
<form-login login-page="/public/login.jsp"
login-processing-url="/protected/x/support/j_spring_security_check"
username-parameter="username"
password-parameter="password"
authentication-failure-url="/login/form?error"
default-target-url="/protected/x/support/index.html"/>
</http>
<http use-expressions="true" entry-point-ref="lUserLoginEntryPoint">
<intercept-url pattern="/protected/x/foo1/**" access="permitAll"/>
<intercept-url pattern="/protected/x/foo2/**" access="permitAll"/>
<intercept-url pattern="/j_spring_security_check" access="permitAll"/>
<intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
<custom-filter ref="lUserLoginFilter" position="FORM_LOGIN_FILTER"/>
<custom-filter ref="lPreauthAuthenticationFilter" position="PRE_AUTH_FILTER" />
</http>
//...
Any hints greatly appreciated!
Thanx,
Uma
Any way check the below links . It may help you
Visit http://krams915.blogspot.com/2010/12/spring-security-mvc-integration_18.html
http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity.html
Even a small url conflict in config files will cause 404 error.

Access spring security from second application

I have two applications, each located on it's own server. Both of them use Spring security with the standart settings.
The problem that I need to access first application through the second one. I need to send password and login to the first application when logging in the second.
Can somebody help with samples or tips please? Thank you.
My spring-security.xml in both applications:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<http pattern="/favicon.ico" security="none" />
<http auto-config="true">
<intercept-url pattern="/**" access="ROLE_ADMIN"/>
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="hey" password="there" authorities="ROLE_ADMIN" />
</user-service>
</authentication-provider>
</authentication-manager>
you should use CAS for this instead of trying to access or pass user/pass across application.
please refer this link to get understanding how to use CAS in this kind of scenario.

Resources