Auth0 Home Blog Docs

${_csrf.token} on jsp always null with spring-security




I am working on a legacy Spring MVC application and I need to pass the _csrf token to a javascript but, after introducing spring-security ( to integrate with auth0 user authentication), these two rows are always null:

<meta name="_csrf" content="${_csrf.token}"/>
<meta name="_csrf_header" content="${_csrf.headerName}"/>

This is how I override the configure(HttpSecurity http):

@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(-2 /* SecurityProperties.ACCESS_OVERRIDE_ORDER */)
public class AppConfig extends WebSecurityConfigurerAdapter {

    protected void configure(HttpSecurity http) throws Exception {

            .antMatchers("/download/**", "/resources/**", "/plugins/**", "/js/**", "/css/**", "/colors/**", "/callback", "/login", "/loggedout").permitAll()


I have removed the DelegationgFilterProxy from the web.xml because it should be created extending the WebSecurityConfigurerAdapter and in according with this SO question ${_csrf.parameterName} and ${_csrf.token} return null I should re-add but, if I do, I get a startup error (missing springSecurityFilterChain).

So, the question is, why my tokens are null if I have implemented WebSecurityConfigurerAdapter and I do not disable the csrf?

Any clue? /