Skip to Content
Feb 21, 2017 at 04:03 PM

Issues with the Spring CsrfFilter during Hybris 6.3 upgrade


We are upgrading Hybris B2C 5.7 to Hybris 6.3 and are encountering the following issue in our storefront:

Every time a POST is made from a form, we get a 403 error and the Spring CsrfFilter complains "Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'."

The CSRF attribute used in the POST request is "CSRFToken", which is used automatically by the form:form JSP tag. The storefront uses this token name, also in Hybris 6.3.

What are we doing wrong? Is the CsrfFilter needed at all? It looks like the whole CSRF handling (token generation and validation) is done already by the storefront itself (e.g. via the CSRFHandlerInterceptor, which uses "CSRFToken"), so the Spring CsrfFilter, which works on either the request parameter "_csrf" or the header "X-CSRF-Token", may not be needed at all.