${_csrf.token} on jsp always null with spring-security


I am working on a legacy Spring MVC application and I need to pass the _csrf token to a javascript but, after introducing spring-security ( to integrate with auth0 user authentication), these two rows are always null:

<meta name="_csrf" content="${_csrf.token}"/>
<meta name="_csrf_header" content="${_csrf.headerName}"/>

This is how I override the configure(HttpSecurity http):

@EnableGlobalMethodSecurity(prePostEnabled = true)
@Order(-2 /* SecurityProperties.ACCESS_OVERRIDE_ORDER */)
public class AppConfig extends WebSecurityConfigurerAdapter {

    protected void configure(HttpSecurity http) throws Exception {

            .antMatchers("/download/**", "/resources/**", "/plugins/**", "/js/**", "/css/**", "/colors/**", "/callback", "/login", "/loggedout").permitAll()


I have removed the DelegationgFilterProxy from the web.xml because it should be created extending the WebSecurityConfigurerAdapter and in according with this SO question {_csrf.parameterName} and {_csrf.token} return null I should re-add but, if I do, I get a startup error (missing springSecurityFilterChain).

So, the question is, why my tokens are null if I have implemented WebSecurityConfigurerAdapter and I do not disable the csrf?

Any clue? /

Hey there!

Terribly sorry for such delay in response! We’re doing our best in providing the best developer support experience out there, but sometimes our bandwidth is just not enough for all the questions that are coming in. Sorry for the inconvenience!

Do you still require further assistance from us?