From 5205bf57c67778f762787c6343a40889317f15c2 Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@vmware.com>
Date: Mon, 16 Dec 2013 09:02:02 -0600
Subject: [PATCH] SEC-2453: Create 403 CSRF FAQ Entry

---
 docs/manual/src/asciidoc/faq.adoc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docs/manual/src/asciidoc/faq.adoc b/docs/manual/src/asciidoc/faq.adoc
index 6762d54f20..17b2c74ee0 100644
--- a/docs/manual/src/asciidoc/faq.adoc
+++ b/docs/manual/src/asciidoc/faq.adoc
@@ -70,6 +70,7 @@ From a Spring Security perspective, the first thing you should do is follow the
 .. <<faq-session-listener-missing>>
 .. <<faq-unwanted-session-creation>>
 . Miscellaneous
+.. <<403-csrf>>
 .. <<faq-no-security-on-forward>>
 .. <<faq-method-security-in-web-context>>
 .. <<faq-no-filters-no-context>>
@@ -206,6 +207,11 @@ This usually means that the user's application is creating a session somewhere,
 
 If you are having trouble working out where a session is being created, you can add some debugging code to track down the location(s). One way to do this would be to add a `javax.servlet.http.HttpSessionListener` to your application, which calls `Thread.dumpStack()` in the `sessionCreated` method.
 
+[[403-csrf]]
+=== I get a 403 Forbidden when performing a POST
+
+If an HTTP 403 Forbidden is returned for HTTP POST, but works for HTTP GET then the issue is most likely related to http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#csrf[CSRF]. Either provide the CSRF Token or disable CSRF protection (not recommended).
+
 [[faq-no-security-on-forward]]
 === I'm forwarding a request to another URL using the RequestDispatcher, but my security constraints aren't being applied.