Thymeleaf Webflux Security, Csrf not added to views

I am trying to add csrf tags to forms however it seems like it works differently than it did in mvc.

So what I did was adding <input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}" />

to login form however the _csrf attribute is not present even though these annotations are present

@EnableWebFluxSecurity
@EnableReactiveMethodSecurity

Here's my SecurityWebFilterChain:

 http
                .authorizeExchange().pathMatchers(
                "/landing",
                "/",
                "/register",
                "/login",
                "/favicon.ico",
                "/js/**",
                "/fonts/**",
                "/assets/**",
                "/css/**",
                "/webjars/**").permitAll()
                .anyExchange().authenticated()
                .and()
                .httpBasic()
                .and()
                .formLogin().loginPage("/login")
                .and().logout()

What am I missing?

UPDATE: Added the dependencies I am using that are related.

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.0.3.RELEASE</version>
    <relativePath/> <!-- lookup parent from repository -->
</parent>
<properties>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
    <java.version>1.8</java.version>
    <thymeleaf.version>3.0.9.RELEASE</thymeleaf.version>
    <thymeleaf-layout-dialect.version>2.0.0</thymeleaf-layout-dialect.version>

</properties>
<dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-webflux</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-data-redis</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.integration</groupId>
            <artifactId>spring-integration-redis</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.session</groupId>
            <artifactId>spring-session-data-redis</artifactId>
        </dependency>
        <dependency>
            <groupId>net.sourceforge.nekohtml</groupId>
            <artifactId>nekohtml</artifactId>
            <version>1.9.22</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-security</artifactId>
        </dependency>
        <dependency>
            <groupId>org.thymeleaf.extras</groupId>
            <artifactId>thymeleaf-extras-springsecurity4</artifactId>
            <version>3.0.2.RELEASE</version>
        </dependency>
        <dependency>
            <groupId>io.github.jpenren</groupId>
            <artifactId>thymeleaf-spring-data-dialect</artifactId>
            <version>3.3.1</version>
        </dependency>
        <dependency>
            <groupId>org.thymeleaf</groupId>
            <artifactId>thymeleaf-spring5</artifactId>
            <version>3.0.9.RELEASE</version>
        </dependency>
    </dependencies>

UPDATE When I include the hidden input tag with csrf to the login form:

<input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}" />

I get this error:

org.thymeleaf.exceptions.TemplateProcessingException: Exception evaluating SpringEL expression: "_csrf.parameterName" (template: "public/login" - line 75, col 17)

Caused by: org.springframework.expression.spel.SpelEvaluationException: EL1007E: Property or field 'parameterName' cannot be found on null

Because _csrf is null for some reason, even though the annotations are in place.

Login controller:

 @GetMapping("/login")
    public String login(Model model) {
        return "public/login";
    }

Also tried adding a controller advice like this:

@ControllerAdvice
public class SecurityAdvice {

    @ModelAttribute("_csrf")
    Mono<CsrfToken> csrfToken(final ServerWebExchange exchange) {

        final Mono<CsrfToken> csrfToken = exchange.getAttribute(CsrfToken.class.getName());

        return csrfToken.doOnSuccess(token -> exchange.getAttributes()
                .put(DEFAULT_CSRF_ATTR_NAME, token)).log();
    }
}

Similarly as it was used here: https://github.com/daggerok/csrf-spring-webflux-mustache

However this results in

java.lang.NullPointerException: null
    at com.a.Config.SecurityAdvice.csrfToken(SecurityAdvice.java:23) ~[classes/:na]

This line is the return part of the last snippet.

This is what i did to get it working.

@GetMapping("/login")
public Mono<String> login(ServerWebExchange exchange, Model model) {
    Mono<CsrfToken> token = exchange.getAttributeOrDefault(CsrfToken.class.getName(), Mono.empty());
    return token.map(t -> {
        model.addAttribute("_csrf", t);
        return "login";
    });
}

CsrfWebFilter not generating the CSRF token with Webflux · Issue , I am trying to add csrf tags to forms however it seems like it works differently than it did in mvc. So what I did was adding <input type="hidden" th:name="${_csrf. 4 Thymeleaf Webflux Security, Csrf not added to views Jun 18 '18 4 Webflux multipart/form-data, csrf enabled, with and without file upload getting Invalid CSRF Token Aug 29 '18 3 Spring AWS S3: How to upload an image and get a URL which shows it rather than downloads it?

I had to include thymeleaf-extras-springsecurity5 (not springsecurity4) to get this working.

I couldn't find any CsrfToken, which meant the answer from @mk88 didn't help nor this guide.

Once I'd included the following dependency, it worked flawlessly as designed:

    <dependency>
        <groupId>org.thymeleaf.extras</groupId>
        <artifactId>thymeleaf-extras-springsecurity5</artifactId>
        <version>3.0.4.RELEASE</version>
    </dependency>

Output from Thymeleaf:

<form action="/members" method="POST" ><input type="hidden" name="_csrf" value="432033fd-1076-4620-9f99-d0220b6d3071"/>

Update webflux-form sample to use Thymeleaf Built in CSRF , I have a Spring Webflux application secured by Spring Security with I can't get the CSRF token to be saved in the Websession nor added in the model. from the view model (maybe this one is an issue with Thymeleaf). can't find any examples or documentation on how to use #webflux.fn with model and #thymeleaf Is it possible to use thymeleaf with spring 5 webflux functional style routers ? danielfernandez self-assigned this May 29, 2017

The cleanest solution that will work across all your controllers is to use a @ControllerAdvice as detailed in the documentation:

@ControllerAdvice
public class SecurityControllerAdvice {
    @ModelAttribute
    Mono<CsrfToken> csrfToken(ServerWebExchange exchange) {
        Mono<CsrfToken> csrfToken = exchange.getAttribute(CsrfToken.class.getName());
        return csrfToken.doOnSuccess(token -> exchange.getAttributes()
                .put(CsrfRequestDataValueProcessor.DEFAULT_CSRF_ATTR_NAME, token));
    }
}

Thymeleaf + Spring Security integration basics, We should update the webflux-form sample to demonstrate it. Thymeleaf provides automatic integration with Spring Security's CSRF rwinch added this to the 5.2.x milestone on Nov 8, 2018 Sign in to view RELEASE because 'org​.thymeleaf.extras:thymeleaf-extras-springsecurity' alone does not  In this article, we will discuss how to prevent Cross-Site Request Forgery (CSRF) attacks in Spring MVC with Thymeleaf application. To be more specific, we will test CSRF attack for HTTP POST method. To be more specific, we will test CSRF attack for HTTP POST method.

A Guide to CSRF Protection in Spring Security, You can view or download the source code from its GitHub repo. support both Spring MVC and Spring WebFlux applications since Spring Security 5, but this article In this case Spring Security is not involved at all, we should simply add an  Note that the Thymeleaf integration packages for Spring Security support both Spring MVC and Spring WebFlux applications since Spring Security 5, but this article will focus on a Spring MVC configuration. Prerequisites. We asume you are familiar with Thymeleaf and Spring Security, and you have a working application using these technologies.

Web on Reactive Stack - Project Metadata API Guide, CSRF Protection with Spring MVC and Thymeleaf A guide to method-level security using the Spring Security framework. HTTP methods for anything that modifies state (PATCH, POST, PUT, and DELETE – not GET). What's so wrong about the last release being from 8 months ago? :) No, don't worry, Thymeleaf is not dead, and there is quite a lot of work already done for the upcoming 3.0.10, which is a difficult release because of some technical difficulties related to Spring Security 5 integration.

Spring Security Reference, To configure view resolution is as simple as adding a ViewResolutionResultHandler bean to your Spring configuration. WebFlux Config provides  This all made me delay a lot the release of Thymeleaf 3.0.10 in fact, because I needed support for this scenario from the core. In fact, 3.0.10 is not yet released because I first want to be really sure that what was made does work for the entire Spring Security 5 + WebFlux scenario…

Comments
  • Are you getting any error(s)?
  • @SupunDharmarathne Updated the question.
  • Regarding this, do you have any idea why I get 'Invalid CSRF Token' when a form's enctype is multipart, but working fine otherwise? I need to upload files sometimes and that requires the use of multipart. Opened another question: stackoverflow.com/questions/52074742/…