I am using Spring framework version 4.3.5.RELEASE. Spring security version is 4.2.2.RELEASE.
I am facing a strange issue related to CSRF. Whenever I submit a form (from a JSP file), Sometimes it works fine, the form gets submitted without error but sometimes after submitting the form, it shows Http Status 405 ? Method not supported. I have included csrf token too, both in hidden field as well as appended it as query string in form's action's tag.
Here is an example POST form from my project:
<form:form class="form-horizontal" method="POST" modelAttribute="dealerVisit" enctype="multipart/form-data"
action="http://localhost:8080/update/edit.html?${_csrf.parameterName}=${_csrf.token}">
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}">
</form:form>
Here is the controller where I am submitting the above form:
@RequestMapping(value = "/update/edit.html", method = RequestMethod.POST)
public String saveEdit(ModelMap map, @Valid @ModelAttribute(MODEL_KEY) DealerVisitVO dealerVisitVO, BindingResult result,
@RequestParam(required = false, name="followup") Boolean followup) {
//my codes here
}
The problem is coming random. It works sometimes and sometimes it doesnt. With no change in code or form. Disabling the CSRF is not a possible solution as this is 1 requirement of my client.
Please help if anyone was able to solve.
In spring security, CSRF token get generated per session basis and remains the same until your session is not expired. This is one case you are getting 405 method not allowed because your session is expiring on some interval (you may check that). Secondly, if you're using spring's form then there is no need to put token in hidden field explicitly, spring does it by default also no need to put it into the query string. Your code should be like this...