Simple example of Spring Security with Thymeleaf

Question

hi I\'m trying to follow a simple example about doing a simple login form page that i found in this page http://docs.spring.io/autorepo/docs/spring-security/4.0.x/guid

Answer 1

Worked for me only after added the following:

protected void configure(HttpSecurity http) throws Exception {
    ...

    http.csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse());
    ...
}

Answer 2

From the Spring Security documentation

CSRF protection is enabled by default with Java configuration. If you would like to disable CSRF, the corresponding Java configuration can be seen below. Refer to the Javadoc of csrf() for additional customizations in how CSRF protection is configured.

And, when CSRF protection is enabled

The last step is to ensure that you include the CSRF token in all PATCH, POST, PUT, and DELETE methods.

In your case:

• you have CSRF protection enabled by default (because you are using Java configuration),
• you are submitting the login form using an HTTP POST and
• are not including the CSRF token in the login form. For this reason, your login request is denied upon submission because the CSRF protection filter cannot find the CSRF token in the incoming request.

You have already determined the possible solutions:

1. Disable CSRF protection as http.csrf().disable(); or
2. Include the CSRF token in the login form as a hidden parameter.

Since you are using Thymeleaf, you will have to do something like the following in your HTML template for the login page:

<form name="f" th:action="@{/login}" method="post">               
  <fieldset>

    <input type="hidden" 
           th:name="${_csrf.parameterName}" 
           th:value="${_csrf.token}" />

    ...
  </fieldset>
</form>

Note that you must use th:action and not HTML action as the Thymeleaf CSRF processor will kick-in only with the former.

You could change the form submission method to GET just to get over the problem but that isn't recommended since the users are going to submit sensitive information in the form.

I typically create a Thymeleaf fragment that is then used in all pages with forms to generate the markup for the forms with the CSRF token included. This reduces boilerplate code across the app.

---

Using @EnableWebMvcSecurity instead of @EnableWebSecurity to enable automatic injection of CSRF token with Thymeleaf tags. Also use <form th:action> instead of <form action> with Spring 3.2+ and Thymeleaf 2.1+ to force Thymeleaf to include the CSRF token as a hidden field automatically (source Spring JIRA).

Answer 3

Maybe that small piece of information helps anybody out: It is also mandatory to have the form attributed with th:action. Just attributing plain HTML action won't do and the hidden CSRF input filed won't be added automatically.

Couldn't find that piece of information documented anywhere and spent 2h research on that. I had attributed the form with action="#" and set the corresponding value by javascript. The CSRF token input field wasn't added automatically until added th:action="@{#}" to the form. Works like a charm now.

Answer 4

You need to add Thymleaf's Spring Security Dialect.

1.) Add the Spring Security Dialect module to your classpath.

Maven Example:

<dependency>
    <groupId>org.thymeleaf.extras</groupId>
    <artifactId>thymeleaf-extras-springsecurity3</artifactId>
    <version>2.1.2.RELEASE</version>
</dependency>

2.) Add the SpringSecurityDialect object to your SpringTemplateEngine

import org.thymeleaf.extras.springsecurity3.dialect.SpringSecurityDialect;
templateEngine.addDialect(new SpringSecurityDialect()); //add this line in your config

Source: Spring in Action 4th Edition

Answer 5

Here is the solution that implements it exactly the way OP wanted:

1. Replace @EnableWebSecurity with @EnableWebMvcSecurity (that's what OP is missing)
2. Use th:action on <form> tag

When you use @EnableWebMvcSecurity Spring Security registers the CsrfRequestDataValueProcessor, and when you use th:action thymeleaf uses it's getExtraHiddenFields method to add, well, extra hidden fields to the form. And the csrf is the extra hidden field.

Since Spring Security 4.0, @EnableWebMvcSecurity has been deprecated and only @EnableWebSecurity is necessary. The _csrf protection continues to apply automatically.