Describe the bug Class CsrfFilter do not behave as spring boot security 2.7.8. Before spring boot security 3, token has been generated for each http method ("GET", "HEAD", "TRACE", "OPTIONS") too. It's common for non jsp app as angular. With spring boot security 3, token hasn't generated because, the RepositoryDeferredCsrfToken::get method was not runned (line 110 in CsrfFilter class).

To Reproduce Activate csrf token :

.csrf(csrf -> csrf
                        .csrfTokenRepository(CsrfTokenRepository.withHttpOnlyFalse())
                        .csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler())

Expected behavior Same behave as spring boot security 2.7.8

Comment From: alexisjarome

Before Spring 6, tokenRepository.loadToken() in CsrfFilter class is being called, regardless of the request http method. Now, it is only called on POST requests.

The result is your 1st POST call will result to 403 since there is no csrf token in the cookie yet (only at this time the csrf token will be saved in the cookie), so you have to call that POST method again.

Comment From: alexisjarome

as a workaround of this, check their documentation on preparing for 6.0 https://docs.spring.io/spring-security/reference/5.8/migration/servlet/exploits.html#_i_am_using_a_single_page_application_with_cookiecsrftokenrepository

Comment From: marcusdacoregio

Hi folks,

this answer might also help with the behavior change in the migration. https://stackoverflow.com/questions/74811673/spring-security-not-sending-csrf-token-in-rest-application/74813159#74813159

I'll close this as resolved but feel free to continue the discussion if you think your problem is different

Comment From: mickper

as a workaround of this, check their documentation on preparing for 6.0 https://docs.spring.io/spring-security/reference/5.8/migration/servlet/exploits.html#_i_am_using_a_single_page_application_with_cookiecsrftokenrepository

Hi @alexisjarome thanks, it helps to understand the new behavior. But the proposed spring solution doesn't restablish the old behave. Cause the token is erased at every POST when it is a cookie.

Hi folks,

this answer might also help with the behavior change in the migration. https://stackoverflow.com/questions/74811673/spring-security-not-sending-csrf-token-in-rest-application/74813159#74813159

I'll close this as resolved but feel free to continue the discussion if you think your problem is different

Thanks @marcusdacoregio but, as my answer to @alexisjarome, the cookie is erased at every POST/UPDATE/DELETE etc.. method by the filter.

I think it's linked to the deferred solution. I'll find another way. Thanks to help.

Comment From: marcusdacoregio

In order to opt-out from the deferred token, the workaround is in the same page https://docs.spring.io/spring-security/reference/5.8/migration/servlet/exploits.html#_i_need_to_opt_out_of_deferred_tokens_for_another_reason