I have an application which uses Spring Security for Authentication. Earlier we were using spring security 3.2.10 and now trying to upgrade to 4.2.6. In spring 4 onwards, CSRF protection is enabled by default.
I am following the migration guide - https://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-xml.html
When I just changed the namespace and replaced security jars and tried to login from the login page, it gave 404 error for "/j_spring_security_check".
As per the Guide, I changed the form login action to "/login" instead of "/j_spring_security_check". Also changed the username and password parameters to "username" and "password" instead of "j_username" and "j_password" defined in the login page.
<form action="/login" method="POST">
After these changes I am getting CSRF token related error with 403 status code-
Type Status Report
Message Could not verify the provided CSRF token because your session was
not found.
Description The server understood the request but refuses to authorize it.
I disabled the CSRF protection by adding below in spring security config file -
<security:http disable-url-rewriting="true" use-expressions="true">
<security:csrf disabled="true"/>
..
<security:intercept-url pattern="/login.jsp"
access="hasRole('ROLE_ANONYMOUS')"/>
<security:form-login login-page="/login.jsp"
authentication-failure-url="/login.jsp?
login_error=1"
default-target-url="/index.html" authentication-
success-handler-ref="successHandler" always-use-default-
target="true"/>
<security:logout logout-success-url="/login.jsp"/>
But still this is not working and giving me CSRF related error with 403 status -
Type Status Report
Message Could not verify the provided CSRF token because your session was
not found.
Description The server understood the request but refuses to authorize it.
Is there anything I am missing ?
security:part. Do only this:<csrf disabled="true"/>. If this doesn't work, show me your namespaces please