Simple example of Spring Security with Thymeleaf

From the Spring Security documentation

CSRF protection is enabled by default with Java configuration. If you would like to disable CSRF, the corresponding Java configuration can be seen below. Refer to the Javadoc of csrf() for additional customizations in how CSRF protection is configured.

And, when CSRF protection is enabled

The last step is to ensure that you include the CSRF token in all PATCH, POST, PUT, and DELETE methods.

In your case:

• you have CSRF protection enabled by default (because you are using Java configuration),
• you are submitting the login form using an HTTP POST and
• are not including the CSRF token in the login form. For this reason, your login request is denied upon submission because the CSRF protection filter cannot find the CSRF token in the incoming request.

You have already determined the possible solutions:

1. Disable CSRF protection as http.csrf().disable(); or
2. Include the CSRF token in the login form as a hidden parameter.

Since you are using Thymeleaf, you will have to do something like the following in your HTML template for the login page:

<form name="f" th:action="@{/login}" method="post">               
  <fieldset>

    <input type="hidden" 
           th:name="${_csrf.parameterName}" 
           th:value="${_csrf.token}" />

    ...
  </fieldset>
</form>

Note that you must use th:action and not HTML action as the Thymeleaf CSRF processor will kick-in only with the former.

You could change the form submission method to GET just to get over the problem but that isn't recommended since the users are going to submit sensitive information in the form.

I typically create a Thymeleaf fragment that is then used in all pages with forms to generate the markup for the forms with the CSRF token included. This reduces boilerplate code across the app.

---

Using @EnableWebMvcSecurity instead of @EnableWebSecurity to enable automatic injection of CSRF token with Thymeleaf tags. Also use <form th:action> instead of <form action> with Spring 3.2+ and Thymeleaf 2.1+ to force Thymeleaf to include the CSRF token as a hidden field automatically (source Spring JIRA).

Here is the solution that implements it exactly the way OP wanted:

1. Replace @EnableWebSecurity with @EnableWebMvcSecurity (that's what OP is missing)
2. Use th:action on <form> tag

When you use @EnableWebMvcSecurity Spring Security registers the CsrfRequestDataValueProcessor, and when you use th:action thymeleaf uses it's getExtraHiddenFields method to add, well, extra hidden fields to the form. And the csrf is the extra hidden field.

Since Spring Security 4.0, @EnableWebMvcSecurity has been deprecated and only @EnableWebSecurity is necessary. The _csrf protection continues to apply automatically.

You need to add Thymleaf's Spring Security Dialect.

1.) Add the Spring Security Dialect module to your classpath.

Maven Example:

<dependency>
    <groupId>org.thymeleaf.extras</groupId>
    <artifactId>thymeleaf-extras-springsecurity3</artifactId>
    <version>2.1.2.RELEASE</version>
</dependency>

2.) Add the SpringSecurityDialect object to your SpringTemplateEngine

import org.thymeleaf.extras.springsecurity3.dialect.SpringSecurityDialect;
templateEngine.addDialect(new SpringSecurityDialect()); //add this line in your config

Source: Spring in Action 4th Edition