Search Tutorials

Spring Boot Security - Enabling CSRF Protection | JavaInUse

Spring Boot Security - Enabling CSRF Protection

In a previous post we had implemented Spring Boot Security - Password Encoding Using Bcrypt.
But till now in all our examples we had disabled CSRF. CSRF stands for Cross-Site Request Forgery. It is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.

Spring Boot Security - Table Of Contents

Spring Boot + Simple Security Configuration Spring Boot Form Security Login Hello World Example Spring Boot Security - Custom Login Page Example Spring Boot Security - JDBC Authentication Example Spring Boot Security - Creating Users Programmatically Using JdbcUserDetailsManager Spring Boot Security - Password Encoding Using Bcrypt Spring Boot Security - Enabling CSRF Protection Spring Boot Security - Authentication Handler Example Spring Boot Security - Introduction to OAuth Spring Boot OAuth2 Part 1 - Getting The Authorization Code Spring Boot OAuth2 Part 2 - Getting The Access Token And Using it to Fetch Data.


This tutorial is explained in the below Youtube Video.

Understanding CSRF attack-

Previously we had Spring Boot Security - Password Encoding Using Bcrypt. Start this application and login using a valid password.

Do not close the above window. Now suppose you receive a mail with following content.
Hi JavaInUse

<form method = "post" action="http://localhost:8080/addNewEmployee">
<input id ="empId" type="hidden" name="empId" value="Hacker001"/>
<input id ="empName" type="hidden" name="empName" value="hacker"/>
<input type="SUBMIT" value="Surprise..Surprise..See What This Does" />
You open this page and click on the surprise button-

We see that it has added an Employee with name Hacker to our application. This is a CSRF attack. Next we see how to tackle this CSRF attack.

Lets Begin-

We will be using the CSRF security token to grant access only to authorized users.
We will be modifying the code we developed in the previous Spring Boot Security - Password Encoding Using Bcrypt
Maven Project will be as follows-


In the pom.xml add the spring-security-taglibs dependency.
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="" xmlns:xsi=""


	<description>Demo project for Spring Boot</description>

		<relativePath /> <!-- lookup parent from repository -->











Next we modify the security configuration to enable CSRF by commenting the csrf disabled command .
package com.javainuse.config;

import javax.sql.DataSource;

import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;

public class EmployeeSecurityConfiguration extends WebSecurityConfigurerAdapter {

	DataSource dataSource;

	public PasswordEncoder passwordEncoder() {
		return new BCryptPasswordEncoder();

	// Enable jdbc authentication
	public void configAuthentication(AuthenticationManagerBuilder auth) throws Exception {

	public JdbcUserDetailsManager jdbcUserDetailsManager() throws Exception {
		JdbcUserDetailsManager jdbcUserDetailsManager = new JdbcUserDetailsManager();
		return jdbcUserDetailsManager;

	public void configure(WebSecurity web) throws Exception {

	protected void configure(HttpSecurity http) throws Exception {
				.hasAnyRole("USER", "ADMIN").antMatchers("/getEmployees").hasAnyRole("USER", "ADMIN")


	// @Autowired
	// public void configureGlobal(AuthenticationManagerBuilder authenticationMgr)
	// throws Exception {
	// authenticationMgr.inMemoryAuthentication().withUser("admin").password("admin").authorities("ROLE_USER").and()
	// .withUser("javainuse").password("javainuse").authorities("ROLE_USER",
	// "ROLE_ADMIN");
	// }

Next in all the jsp pages add the spring security taglib and the csrf token tag
<%@ taglib prefix="sec" uri="" %>
<sec:csrfInput />  
Start the application -
  • Go to localhost:8080/welcome, we will be redirected to the custom login page.
  • Login using the credentials

  • Again click on the surprise button of the CSRF attack page

So our application is now working good.

Download Source Code

Download it -
Spring Boot Security - Securing application against CSRF attack