InMemoryAuthentication cannot verify the provided CSRF token and return Whitelabel error page

Question

In a Spring Boot securityproject I get a Whitelabel Error Page when trying to be redirected from the login (after typed username and password) to the chosen page. The details are if I begin with the views that are jsp-files. The start.jsp only have one purpose, to redirect to test.jsp

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" 
    "http://www.w3.org/TR/html4/loose.dtd">
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=ISO-
            8859-1">
        <title>Startpage</title>
    </head>
    <body>
        <p>Click <a href="/test">here</a> Start.</p>
    </body>
</html>

The securitysetting for start.jsp is permitAll and the setting for test.jsp is authenticated so before test.jsp login.jsp will be called to type username and password

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" 
    "http://www.w3.org/TR/html4/loose.dtd">
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=ISO-
            8859-1">
       <title>Login</title>
    </head>
    <body>

        <form method="POST" action="/login">
            User Name : <input type="text" name="username"/>
            Password: <input type="password" name="password"/>
            <button type="submit">Submit</button>
        </form>
    </body>
</html>

and the endpage test.jsp looks like this

<%@ page language="java" contentType="text/html; charset=ISO-8859-1"
    pageEncoding="ISO-8859-1"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" 
     "http://www.w3.org/TR/html4/loose.dtd">
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=ISO-
            8859-1">
        <title>Insert title here</title>
    </head>
    <body>
        Hi
    </body>
</html>

The errormessage is

Whitelabel Error Page This application has no explicit mapping for /error, so you are seeing this as a fallback. Thu Mar 01 21:43:40 CET 2018 There was an unexpected error (type=Forbidden, status=403). Could not verify the provided CSRF token because your session was not found.

It is run on my localhost as a http without any ssl or any other securitysettings chosen except for the Spring Boot Securitydependency in the pom.xml-file.

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

The Mvc is handled by

package com.proj.db_proj;

import org.springframework.context.annotation.Configuration;
import 
  org.springframework.web.servlet.config.annotation.ViewControllerRegistry;
import 
 org.springframework.web.servlet.config.annotation.WebMvcConfigurerAdapter;

@Configuration
public class MvcConfig extends WebMvcConfigurerAdapter {

    @Override
    public void addViewControllers(ViewControllerRegistry registry) {
        registry.addViewController("/login").setViewName("login");
        registry.addViewController("/startpage").setViewName("startpage");
        registry.addViewController("/test").setViewName("test");
        registry.addViewController("/").setViewName("start");
    }
}

and the Websecurity with the authentication and configuration

package com.proj.db_proj;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.
    builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.
    web.builders.HttpSecurity;
import org.springframework.security.config.annotation.
    web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.¨
    web.configuration.WebSecurityConfigurerAdapter;

@Configuration
@EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

     @Override
         protected void configure(HttpSecurity http) throws Exception {
            http
                .authorizeRequests()
                    .antMatchers("/", "/start").permitAll()
                    .anyRequest().authenticated()
                    .and()
                .formLogin()
                    .loginPage("/login")
                    .permitAll()
                    .and()
                .logout()
                    .permitAll();
        }

        @Autowired
        public void configureGlobal(AuthenticationManagerBuilder auth) 
            throws Exception {
            auth
                .inMemoryAuthentication()
                .withUser("user").password("user").roles("USER");
        }

 }

Anyone can see any error or know why I get the Whitelabel error page? I have followed manuals and checked tutorials and also questions here on stackoverflow without any answers.

Your login page doesn't submit the CSRF token, so you get an error. See [Spring Security Reference](https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html#csrf-include-csrf-token). — dur, Mar 05 '18 at 15:40

score 1 · Answer 1 · answered Mar 02 '18 at 18:07

1

In your error messages, you did not append csrf token.

Could not verify the provided CSRF token because your session was not found.

At spring boot security, csrf is enabled by default.
If you want to disable csrf, append this code to your HttpSecurity configuration. (Do not miss .and())

.csrf().disable();

answered Mar 02 '18 at 18:07

Min Hyoung Hong

1,102
9
13

Hi. Tried it but it just bounced back to login.jsp. When I followed the tutorails noone has used that command and I have seen post here on stackoverflow not recommending to disable .csrf. The only difference from my code from the tutorails is that they have used thymeleaf template but I can't see that as a problem? – bajen micke Mar 03 '18 at 11:25
If you don't want to disable csrf, then refer spring boot csrf token chapter : https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html#csrf-include-csrf-token or http://www.baeldung.com/spring-security-csrf – Min Hyoung Hong Mar 05 '18 at 01:03
And https://stackoverflow.com/questions/38004035/could-not-verify-the-provided-csrf-token-because-your-session-was-not-found-in-s This is the discussion about 'Could not verify the provided CSRF token because your session was not found.' error. – Min Hyoung Hong Mar 05 '18 at 01:04
Did you specify spring session management as stateless. If so specify it as if-required. – talipkorkmaz Mar 05 '18 at 18:44
But according to the docs enablewebsecirity annotation that I got should take care of csrfhandling. – bajen micke Mar 06 '18 at 09:33

score 1 · Answer 2 · answered Jan 22 '19 at 10:04

1

You should use Thymeleaf namespace to actually use CSRF (which is enabled by default).

Change:

<form method="POST" action="/login">

to:

<form method="POST" th:action="@{/login}">

answered Jan 22 '19 at 10:04

jarosik

4,136
10
36
53

InMemoryAuthentication cannot verify the provided CSRF token and return Whitelabel error page

2 Answers2