3

I am using Spring framework version 4.3.5.RELEASE. Spring security version is 4.2.2.RELEASE.

I am facing a strange issue related to CSRF. Whenever I submit a form (from a JSP file), Sometimes it works fine, the form gets submitted without error but sometimes after submitting the form, it shows Http Status 405 ? Method not supported. I have included csrf token too, both in hidden field as well as appended it as query string in form's action's tag.

Here is an example POST form from my project:

 <form:form class="form-horizontal" method="POST" modelAttribute="dealerVisit" enctype="multipart/form-data" 
        action="http://localhost:8080/update/edit.html?${_csrf.parameterName}=${_csrf.token}">

        <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}">
</form:form>

Here is the controller where I am submitting the above form:

@RequestMapping(value = "/update/edit.html", method = RequestMethod.POST)
    public String saveEdit(ModelMap map, @Valid @ModelAttribute(MODEL_KEY) DealerVisitVO dealerVisitVO, BindingResult result,
            @RequestParam(required = false, name="followup") Boolean followup) {
//my codes here
}

The problem is coming random. It works sometimes and sometimes it doesnt. With no change in code or form. Disabling the CSRF is not a possible solution as this is 1 requirement of my client.

Please help if anyone was able to solve.

sumit
  • 39
  • 3
  • Can you provide a better explanation of why you think this has something to do with CSRF. A response of HTTP 405 does not imply a CSRF problem. 405 simply means that the HTTP method (POST, GET, etc) is not supported by the server for this resource. See https://tools.ietf.org/html/rfc7231#section-6.5.5. – EJK Sep 15 '17 at 05:03
  • If you could see my form's `method` attribute, it is set to `POST`. And the same `POST` type is specified over my controller's `RequestMapping`. Also, when I disable CSRF, the issue never comes up. Hence, its related to CSRF. Also, before posting the question, I have searched much about this problem and everything points to CSRF issue with Spring security. – sumit Sep 15 '17 at 05:07
  • Am facing the same issue..Hope for a permanent solution except disabling CSRF – Sumit Badaya Sep 15 '17 at 08:42
  • May be csrf token is expired if client did not make the call on time. Debug it. :-) – FranXho Mar 09 '18 at 06:30

1 Answers1

1

In spring security, CSRF token get generated per session basis and remains the same until your session is not expired. This is one case you are getting 405 method not allowed because your session is expiring on some interval (you may check that). Secondly, if you're using spring's form then there is no need to put token in hidden field explicitly, spring does it by default also no need to put it into the query string. Your code should be like this...

<form:form class="form-horizontal" method="POST" modelAttribute="dealerVisit" enctype="multipart/form-data" action="http://localhost:8080/update/edit.html">

     <!-- Spring will add by default -->
    <!-- <input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"> -->

Abhilash Khangar
  • 11
  • 1