Clever Geek Handbook

Play Framework CSRF error "[CSRF] Check failed because no token found in headers"

I'm new to Play Framework and I'm trying to submit a form, but I get this error: "p.filters.CSRF - [CSRF] Check failed because no token found in headers." I am using Play 2.6, here's my controller code:

    package controllers;

import play.libs.Json;
import play.mvc.*;

import views.html.*;

import java.util.ArrayList;
import java.util.List;
import java.util.Map;

public class HomeController extends Controller {

    public Result index() {
        return ok(index.render("Your new application is ready."));
    }

    public Result test() {
        List<String> list = new ArrayList<>();
        list.add("Jobs");
        list.add("Work");
        list.add("Say");
        list.add("Stop");
        return ok(test.render("test", list));
    }

    public Result testPost() {
       Map<String,String[]> form =  request().body().asFormUrlEncoded();
       return ok(Json.toJson(form)).as("application/json");
    }

}

Template:

@(title: String, list: List[String])

@import helper._

<!DOCTYPE html>
<html lang="en">
    <head>
        <title>@title</title>
    </head>
    <body>
        <form action="/test" method="post">
            <textarea name="raw_text">

            </textarea>
            @CSRF.formField
            <input type="submit" value="Submit" />
        </form>
    </body>
</html>

What am I doing wrong?

+7


source to share


3 answers


I couldn't find anything wrong with your code, so I set up the same Play project locally. I am not addressing this issue when submitting the form. This is a basic project created with:

sbt new playframework/play-java-seed.g8

Testing Testing posting because the content of the textArea returns the following Json (as shown by the browser):

raw_text    
0   "            Testing testing"
csrfToken   
0   "8fdc72b2d628e4fc0d8f6359f2ea247cc0f22e5c-1499016237415-3c043ab2a02c18020df21a1f"

The only one I took from my own projects is a modified Filters class that looks like this:



import play.mvc.EssentialFilter;
import play.filters.cors.CORSFilter;
import play.http.HttpFilters;
import play.filters.csrf.CSRFFilter;
import play.filters.headers.SecurityHeadersFilter;
import java.util.List;
import javax.inject.Inject;
import javax.inject.Named;
import java.util.Arrays;
public class Filters implements HttpFilters {
    @Inject 
    CSRFFilter csrfFilter;
    @Inject
    CORSFilter corsFilter;
    @Inject 
    SecurityHeadersFilter secHeaders;

    @Override
    public List<EssentialFilter> getFilters() {

        return Arrays.<EssentialFilter>asList(new EssentialFilter[] { corsFilter.asJava(),secHeaders.asJava(), csrfFilter.asJava()});
                }
}

Also my routes are as follows in conf / routes:

# Map static resources from the /public folder to the /assets URL path
GET     /assets/*file               controllers.Assets.versioned(path="/public", file: Asset)
GET / controllers.HomeController.test()
POST /test controllers.HomeController.testPost()

Removing @ CSRF.formField caused an unauthorized CSRF as it did for you.

If you have any obvious differences from your setup, I'd be happy to dig further, but that doesn't seem to be a direct problem with your code.

+1


source


I ran into this. And I solved it very simply. Just add to your application.conf:

play.filters.enabled += "play.filters.csrf.CSRFFilter"

and in your routes file add the nocsrf modifier tag before your route:



+nocsrf
POST        /login                     controllers.AuthController.authorize()

just like that .. I hope my answer will help you. Thank!

+8


source


This may not apply to all situations, but in my case, the reason was that I was resetting the session in the controller so that the CSRF token would somehow become invalid.

If you call "withNewSession" in your code and you get this error, try removing it and see if the error goes away.

0


source






More articles:


All Articles