cancel
Showing results for 
Search instead for 
Did you mean: 

Issues with the Spring CsrfFilter during Hybris 6.3 upgrade

former_member1336901
Participant
0 Kudos

We are upgrading Hybris B2C 5.7 to Hybris 6.3 and are encountering the following issue in our storefront:

Every time a POST is made from a form, we get a 403 error and the Spring CsrfFilter complains "Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'."

The CSRF attribute used in the POST request is "CSRFToken", which is used automatically by the form:form JSP tag. The storefront uses this token name, also in Hybris 6.3.

What are we doing wrong? Is the CsrfFilter needed at all? It looks like the whole CSRF handling (token generation and validation) is done already by the storefront itself (e.g. via the CSRFHandlerInterceptor, which uses "CSRFToken"), so the Spring CsrfFilter, which works on either the request parameter "_csrf" or the header "X-CSRF-Token", may not be needed at all.

Accepted Solutions (1)

Accepted Solutions (1)

Former Member

Thanks for sharing across the solution. If you had followed the sequential approach of migrating from 5.7 -> 6.0, 6.0 -> 6.1, 6.1 -> 6.2, 6.2 -> 6.3, then it would have solved.

For others looking for a solution, you can find it in the migration document from 6.1 -> 6.2. Refer point 9g in the below link.

https://help.hybris.com/6.2.0/hcd/1788ac20e6844b72a443b9631c867be6.html

Thanks, Bala

Answers (1)

Answers (1)

Former Member
0 Kudos

Hi , I faced the same issue while migration to 6.3. Hybris is not using the CSRFFilter of Spring and has disabled it in spring-security-config.xml: security:csrf disabled="true" under http header namespace. It uses the CSRFHandlerInterceptor and CSRFTokenManager for token creation and handling.

former_member1336901
Participant
0 Kudos

Thanks, I found the same solution yesterday - wanted to post it, but you already have.

So: In spring-security-config.xml, every security:http tag needs a subtag security:csrf disabled="true".