Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-2453: Create 403 CSRF FAQ Entry

This commit is contained in:
Rob Winch 2013-12-16 09:02:02 -06:00
parent 994117ad75
commit 5205bf57c6
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
docs/manual/src/asciidoc/faq.adoc
View File

@ -70,6 +70,7 @@ From a Spring Security perspective, the first thing you should do is follow the
.. <<faq-session-listener-missing>>
.. <<faq-unwanted-session-creation>>
. Miscellaneous
.. <<403-csrf>>
.. <<faq-no-security-on-forward>>
.. <<faq-method-security-in-web-context>>
.. <<faq-no-filters-no-context>>
@ -206,6 +207,11 @@ This usually means that the user's application is creating a session somewhere,
If you are having trouble working out where a session is being created, you can add some debugging code to track down the location(s). One way to do this would be to add a `javax.servlet.http.HttpSessionListener` to your application, which calls `Thread.dumpStack()` in the `sessionCreated` method.
[[403-csrf]]
=== I get a 403 Forbidden when performing a POST
If an HTTP 403 Forbidden is returned for HTTP POST, but works for HTTP GET then the issue is most likely related to http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#csrf[CSRF]. Either provide the CSRF Token or disable CSRF protection (not recommended).
[[faq-no-security-on-forward]]
=== I'm forwarding a request to another URL using the RequestDispatcher, but my security constraints aren't being applied.