FreezY FreezY - 1 year ago 179
Java Question

Could not verify the provided CSRF token because your session was not found

I've been searching about this problem but still cannot be avoid. The problem only come when I'm trying to make an ajax call. The system will return error

Could not verify the provided CSRF token because your session was not found.

Based from Spring MVC and CSRF Integration, I need to included @EnableWebSecurity to resolve this if I'm using Java Config, but if using XML, need to use this :

public class CsrfController {

public CsrfToken csrf(CsrfToken token) {
return token;

And I'm not sure how to use above class.

The question is how to use above class if its really a solution or are there any solution I can use?

This is my security config xml file;

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns=""

<!-- Global Security Settings -->
<global-method-security pre-post-annotations="enabled" />
<context:component-scan base-package="" />

<!-- Reads WEB Configuration file to resolve ${} and read @Value for Security-->
<context:property-placeholder location="classpath:cfg/web.cfg" />
<context:annotation-config />

<!-- Security Access Configuration -->

<http auto-config="false" use-expressions="true" authentication-manager-ref="CAP" disable-url-rewriting="true" entry-point-ref="IAE">

<session-management session-fixation-protection="newSession" session-authentication-error-url="/logout?timeout" >
<concurrency-control max-sessions="1" expired-url="/logout?expired" />
<custom-filter position="PRE_AUTH_FILTER" ref="entryFilter" />
<intercept-url pattern="/resources/**" access="permitAll()" requires-channel="https" />
<intercept-url pattern="/clearcache" access="permitAll()" requires-channel="https" />
<intercept-url pattern="/logout" access="permitAll()" requires-channel="https" />
<intercept-url pattern="/**" access="isFullyAuthenticated()" requires-channel="https" />

<port-mappings >
<port-mapping http="7001" https="7002" />

<frame-options policy="SAMEORIGIN" />
<hsts />
<cache-control />
<xss-protection />
<content-type-options />


<beans:bean id="entryFilter" class="" >
<beans:property name="authenticationManager" ref="CAP"/>
<beans:bean id="IAE" class="" />
<beans:bean id="CAP" class="" />

<beans:import resource="../aop/aspect-security.xml" />

In addition, I'm a using system similar like CA Siteminder which will validated the user based on header info with no login form.

Answer Source

Because some of the moderator here really cannot differentiate the answer and question, so I just want to highlight something here :


Ok so here the thing, from other question that literally have the same cause, mostly it will affect system that using Rest, header without form login. This mean that the webapp is in the container system. So the location of both system either container and the system in the container is completely different at client side.

Here are the example..

For container webapp:

For webapp in container:

This different will denied the access and give the 403 because for sure the this we are looking in are not exist there.


The /playground uri is exist there but for sure is forbidden here:

So please check your uri and try to make sure you are using a relative path. Its much more better.

P/s:For some reason, everything that being called from server side remain intact either the container or the system in the container.This happen because the server side using relative path,not absolute path.