cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

CSRF token mismatch in 6.6

Former Member

on ‎2018 Jul 04 10:38 AM

0 Kudos
668

Hi all,

We are upgrading 6.0 to 6.6. On submitting a post request in 6.6, CSRF token was generated as org.springframework.security.web.csrf.DefaultCsrfToken@3f7d8dec. Please suggest, does the generated CSRF format correct?

on other side, I could see the generated CSRF token was compared with csrfToken.getToken() as below. On inspecting, value shown for csrfToken.getToken() as b9ef5846-ed23-4e73-bef1-40450a837c29.

actualToken = org.springframework.security.web.csrf.DefaultCsrfToken@3f7d8dec
csrfToken.getToken()= b9ef5846-ed23-4e73-bef1-40450a837c29

if(!csrfToken.getToken().equals(actualToken)) {

}

Above snippet of code is taken from CsrfFilter class. With above condition, its redirecting to /login page and returning 302 status code.

We have already included in security xml. Anybody can help us, how tokens are mismatch on comparing.

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎2018 Jul 04 4:01 PM
0 Kudos

CSRFTokenManager is deprecated and now hybris is using CsrfFilter from spring. You need to make changes to start using CSRFRequestDataValueProcessor which uses a tokenRepository.

All you need is probably a cleanup of the deprecated csrf handling and things will start working

Show replies
Show replies
Ask a Question