Hi, maybe nginx strips the header try proxy settings of nginx proxy_set_header X-XSRF-TOKEN $http_x_xsrf_token;
06.07.2025 13:33:35 Hrvoje Lončar <horv...@gmail.com>: > Hi! > > After recent Tomcat security changes, my POST request are failing but not > all the time. > The problem is that the same request sometimes ends up with an error and > sometimes not. > > Tomcat is 10.0.42 protected by nginx which handles SSL certificate and > forwards dynamic requests to Tomcat. > > Java exception: > > > > *2025-07-05 11:26:45,649 INFO (HttpSecurityConfig.java:210) [WEB_SECURITY] > CustomAccessDeniedHandler: Unauthorized access; URI = /suggest; URL = > http://thevegcat.com/suggest <http://thevegcat.com/suggest>; > AccessDeniedException = Invalid CSRF Token 'null' was found on the request > parameter '_csrf' or header > 'X-XSRF-TOKEN'.org.springframework.security.web.csrf.InvalidCsrfTokenException: > Invalid CSRF Token 'null' was found on the request parameter '_csrf' or > header 'X-XSRF-TOKEN'. at > org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:129)* > > ...which tells me CSRF field of POST request was chopped out of request. > > Below is my server.xml > > > > > > > > > > > > > > > > > > > > > > > *<?xml version="1.0" encoding="UTF-8"?><Server port="8005" > shutdown="SHUTDOWN"> <Listener > className="org.apache.catalina.startup.VersionLoggerListener"/> > <Listener className="org.apache.catalina.core.AprLifecycleListener"/> > <Listener > className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/> > <Listener > className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/> > <Listener > className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/> > <GlobalNamingResources> <Resource name="UserDatabase" > auth="Container" type="org.apache.catalina.UserDatabase" description="User > database that can be updated and saved" > factory="org.apache.catalina.users.MemoryUserDatabaseFact> > </GlobalNamingResources> <Service name="Catalina"> > <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" > redirectPort="8443" maxParameterCount="1000" maxPartCount="1000"/> > <Engine name="Catalina" defaultHost="localhost"> > <Realm className="org.apache.catalina.realm.LockOutRealm"> > <Realm > className="org.apache.catalina.realm.UserDatabaseRealm" > resourceName="UserDatabase"/> </Realm> > <Host name="localhost" appBase="webapps" unpackWARs="true" > autoDeploy="true"> <Valve > className="org.apache.catalina.valves.AccessLogValve" directory="logs" > prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t > "%r" %s %b"/> </Host> > </Engine> </Service></Server>* > > Thanks! > > > -- > *TheVegCat.com <https://thevegcat.com/>* > *VegCook.net <https://vegcook.net/>* > *horvoje.net <https://horvoje.net/>*
