Invalid CSRF token found for /zkau with Spring Security

asked 2015-09-14 10:38:23 +0800

CodeLover gravatar image CodeLover

updated 2015-09-14 10:42:58 +0800

I'm trying to integrate Spring Security with ZK.

I stuck with error message: Invalid CSRF token found for xxx/cbpm/zkau.

My full stacktrace

2015-09-14 17:12:58,288 +0700 [http-nio-8787-exec-91] DEBUG (FilterChainProxy.java:324) - /zkau at position 1 of 14 in additional filter chain; firing Filter: 'ChannelProcessingFilter'
2015-09-14 17:12:58,288 +0700 [http-nio-8787-exec-91] DEBUG (AntPathRequestMatcher.java:151) - Checking match of request : '/zkau'; against '/zkau/**'
2015-09-14 17:12:58,288 +0700 [http-nio-8787-exec-91] DEBUG (ChannelProcessingFilter.java:142) - Request: FilterInvocation: URL: /zkau; ConfigAttributes: [ANY_CHANNEL]
2015-09-14 17:12:58,288 +0700 [http-nio-8787-exec-91] DEBUG (FilterChainProxy.java:324) - /zkau at position 2 of 14 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2015-09-14 17:12:58,288 +0700 [http-nio-8787-exec-91] DEBUG (HttpSessionSecurityContextRepository.java:192) - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: '[email protected]63b976: Authentication: org.springframew[email protected]c363b976: Principal: [email protected]; Credentials: [PROTECTED]; Authenticated: true; Details: null; Granted Authorities: SSORole{name=ROLE_ADMIN, privileges=null}'
2015-09-14 17:12:58,289 +0700 [http-nio-8787-exec-91] DEBUG (FilterChainProxy.java:324) - /zkau at position 3 of 14 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2015-09-14 17:12:58,289 +0700 [http-nio-8787-exec-91] DEBUG (FilterChainProxy.java:324) - /zkau at position 4 of 14 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2015-09-14 17:12:58,289 +0700 [http-nio-8787-exec-91] DEBUG (HstsHeaderWriter.java:128) - Not injecting HSTS header since it did not match the requestMatcher org.springframework.se[email protected]244bd1a9
2015-09-14 17:12:58,289 +0700 [http-nio-8787-exec-91] DEBUG (FilterChainProxy.java:324) - /zkau at position 5 of 14 in additional filter chain; firing Filter: 'CsrfFilter'
2015-09-14 17:12:58,290 +0700 [http-nio-8787-exec-91] DEBUG (CsrfFilter.java:106) - Invalid CSRF token found for xxx/cbpm/zkau
2015-09-14 17:12:58,291 +0700 [http-nio-8787-exec-91] DEBUG (SecurityContextPersistenceFilter.java:105) - SecurityContextHolder now cleared, as request processing completed

I don't use Spring Security default authentication provider. I made custom provider and call it not with login form, but with an url like xxx/cbpm/sso/checkpoint.zul?token=xxxxxxx

and then I processed that token with this code:

public class SSOTokenHandler implements Initiator {

    private static final Logger logger = Logger.getLogger(SSOTokenHandler.class.getName());

    AuthenticationManager authenticationManager;

    public void doInit(Page page, Map<String, Object> map) throws Exception {
        authenticationManager = (AuthenticationManager) SpringUtil.getBean("authenticationManager");
        UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(null, Executions.getCurrent().getParameter("token"));
        try {
            if (authenticationManager != null) {
                Authentication auth = authenticationManager.authenticate(token);
        } catch (AuthenticationException e) {

Above code run well, and show index page.

But, every I do click something (fired ajax request), then 403 error arise with my attached log.

Please help me. :)

My spring-security.xml

<http auto-config="true">
        <form-login login-page="xxx/PortalSSO/auth/login.do?redirect=/sso/checkpoint/SDM02.do"/>
<!--        <intercept-url pattern="/api/auth/**" access="hasAnyRole('ROLE_ANONYMOUS', 'ROLE_USER')" />
        <intercept-url pattern="/resources/**" access="hasAnyRole('ROLE_ANONYMOUS', 'ROLE_USER')" />
        <intercept-url pattern="/auth/login.do" access="hasAnyRole('ROLE_ANONYMOUS', 'ROLE_USER')" />-->
        <intercept-url pattern="/zkau/**" access="hasAnyRole('ROLE_ANONYMOUS', 'ROLE_ADMIN')" requires-channel="any"/>
        <intercept-url pattern="/css/**" access="hasAnyRole('ROLE_ANONYMOUS', 'ROLE_ADMIN')" requires-channel="any"/>
        <intercept-url pattern="/img/**" access="hasAnyRole('ROLE_ANONYMOUS', 'ROLE_ADMIN')" requires-channel="any"/>
        <intercept-url pattern="/sso/checkpoint.zul" access="hasAnyRole('ROLE_ANONYMOUS', 'ROLE_ADMIN')" />
        <intercept-url pattern="/**" access="hasRole('ROLE_ADMIN')" />
        <session-management session-fixation-protection="none" /> 
        <!--<logout logout-success-url="/login.zul"/>-->

    <authentication-manager alias="authenticationManager">  
        <authentication-provider ref="SSOAuthenticationProvider" />

    <beans:bean id="SSOAuthenticationProvider" class="ptpn4.rawi.sso.client.authentication.SSOAuthenticationProvider"/>

My library stack: - ZK EE - ZK Spring Core 3.1.1 - ZK Spring Security 3.1.1 - Spring Framework 4.2.1 (core, web, beans, context, aop, expression) - Spring Security 4.0.2 (core, web, config)

delete flag offensive retag edit
Be the first one to answer this question!
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools




Asked: 2015-09-14 10:38:23 +0800

Seen: 44 times

Last updated: Sep 14 '15

Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More