Auth0 Home Blog Docs

${_csrf.token} on jsp always null with spring-security

java

#1

Hello,

I am working on a legacy Spring MVC application and I need to pass the _csrf token to a javascript but, after introducing spring-security ( to integrate with auth0 user authentication), these two rows are always null:

<meta name="_csrf" content="${_csrf.token}"/>
<meta name="_csrf_header" content="${_csrf.headerName}"/>

This is how I override the configure(HttpSecurity http):

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@PropertySources(@PropertySource("classpath:auth0.properties"))
@Order(-2 /* SecurityProperties.ACCESS_OVERRIDE_ORDER */)
public class AppConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.authorizeRequests() 
            .antMatchers("/download/**", "/resources/**", "/plugins/**", "/js/**", "/css/**", "/colors/**", "/callback", "/login", "/loggedout").permitAll()
            .antMatchers("/**").authenticated()
            .and()
            .logout().permitAll();
    }

}

I have removed the DelegationgFilterProxy from the web.xml because it should be created extending the WebSecurityConfigurerAdapter and in according with this SO question ${_csrf.parameterName} and ${_csrf.token} return null I should re-add but, if I do, I get a startup error (missing springSecurityFilterChain).

So, the question is, why my tokens are null if I have implemented WebSecurityConfigurerAdapter and I do not disable the csrf?

Any clue? /
Thanks!