Login/Register
How to use Spring Security with Mustache?
Asked Answered
javaspring-mvcspring-securitymustache
S

3

8

I'm following the Spring Security reference, and I've got redirection to a custom login page working as described in section 3.3. However, I'm not sure how to get the CSRF token in Mustache (all the examples use JSP). I've tried a few naïve things like this...

{{#_csrf}}
    <input type="hidden" name="{{parameterName}}" value="{{token}}"/>
{{/_csrf}}

...and this...

{{#CsrfToken}}
    <input type="hidden" name="{{parameterName}}" value="{{token}}"/>
{{/CsrfToken}}

...but they don't work (and I didn't really expect them to). How can I get the CSRF token in Mustache?

I'm also wondering: Where could I set a breakpoint in my code to see what Spring Security is sending as the model to my custom login view?)

Symmetrize answered 16/10, 2014 at 5:54 Comment(3)
Spring Security doesn't send the model; that's the Spring MVC DispatcherServlet. If you're going to use a template engine such as Mustache that doesn't have out-of-the-box integration, you'll need to look up the CSRF token in your controller and add it to the model yourself.Alpaca
@chrylis - You were right on; thanks for your help. I added an HttpServletRequest argument to my @RequestMapping handler method and got an instance of CsrfToken from the "_csrf" attribute. If you add an answer, I'll accept it.Symmetrize
Like this: CsrfToken token = (CsrfToken) httpServletRequest.getAttribute("_csrf"); model.addAttribute("token", token.getToken()); #20862799Scan
A
3

Add this to yourapplication.properties:

spring.mustache.expose-request-attributes=true

Then you have access to the _csrf request attribute in your template.

Aggrieved answered 5/11, 2019 at 15:41 Comment(0)
R
3

Add this to your application.properties:

spring.mustache.servlet.expose-request-attributes=true

Then you have access to the _csrf request attribute in your template.

Property was renamed from spring.mustache.expose-request-attributes in Spring Boot version 2.7.0.

Issue: https://github.com/spring-projects/spring-boot/issues/28858

Rust answered 29/1, 2023 at 15:54 Comment(0)
C
0

I am not sure from which version this is available, but you can just add a parameter for CsrfToken on your controller method to get the token to be passed into the model, like so:

@GetMapping("/dashboard")
public String dashboard(CsrfToken csrfToken, Model model) {
    model.addAttribute("_csrf", csrfToken);
    // render page
}

You don't have to use HttpServletRequest. Now you can use your first template.

If the above is too tedious to do for each controller methods, we can register an interceptor instead.

Interceptor:

public class CsrfTokenInterceptor implements HandlerInterceptor {
    @Override
    public void postHandle(HttpServletRequest request, HttpServletResponse response,
                           Object handler, ModelAndView modelAndView) throws Exception {
        CsrfToken csrfToken = (CsrfToken) request.getAttribute("_csrf");
        if (modelAndView != null) {
            modelAndView.addObject("_csrf", csrfToken);
        }
    }
}

Bean:

@Configuration
public class Config {
    @Bean
    public CsrfTokenInterceptor csrfTokenInterceptor() {
        return new CsrfTokenInterceptor();
    }
}

Add interceptor in WebMvcConfigurer:

@Configuration
public class WebMvcConfig implements WebMvcConfigurer {
    @Autowired
    CsrfTokenInterceptor csrfTokenInterceptor;

    @Override
    public void addInterceptors(InterceptorRegistry registry) {
        registry.addInterceptor(csrfTokenInterceptor);
    }
}
Complexion answered 8/12, 2018 at 13:37 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.