Hi! The problem is that sometimes it works and sometimes don't but with strictly the same data entered.
BR, Hrvoje *TheVegCat.com <https://thevegcat.com/>* *VegCook.net <https://vegcook.net/>* *horvoje.net <https://horvoje.net/>* On Sun, 6 Jul 2025, 15:22 Martin Konicsek, <mar...@konicsek.de> wrote: > Hi, > maybe nginx strips the header > > try proxy settings of nginx > proxy_set_header X-XSRF-TOKEN $http_x_xsrf_token; > > > > > 06.07.2025 13:33:35 Hrvoje Lončar <horv...@gmail.com>: > > > Hi! > > > > After recent Tomcat security changes, my POST request are failing but not > > all the time. > > The problem is that the same request sometimes ends up with an error and > > sometimes not. > > > > Tomcat is 10.0.42 protected by nginx which handles SSL certificate and > > forwards dynamic requests to Tomcat. > > > > Java exception: > > > > > > > > *2025-07-05 11:26:45,649 INFO (HttpSecurityConfig.java:210) > [WEB_SECURITY] > > CustomAccessDeniedHandler: Unauthorized access; URI = /suggest; URL = > > http://thevegcat.com/suggest <http://thevegcat.com/suggest>; > > AccessDeniedException = Invalid CSRF Token 'null' was found on the > request > > parameter '_csrf' or header > > > 'X-XSRF-TOKEN'.org.springframework.security.web.csrf.InvalidCsrfTokenException: > > Invalid CSRF Token 'null' was found on the request parameter '_csrf' or > > header 'X-XSRF-TOKEN'. at > > > org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:129)* > > > > ...which tells me CSRF field of POST request was chopped out of request. > > > > Below is my server.xml > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > *<?xml version="1.0" encoding="UTF-8"?><Server port="8005" > > shutdown="SHUTDOWN"> <Listener > > className="org.apache.catalina.startup.VersionLoggerListener"/> > > <Listener className="org.apache.catalina.core.AprLifecycleListener"/> > > <Listener > > className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/> > > <Listener > > className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/> > > <Listener > > className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/> > > <GlobalNamingResources> <Resource name="UserDatabase" > > auth="Container" type="org.apache.catalina.UserDatabase" > description="User > > database that can be updated and saved" > > factory="org.apache.catalina.users.MemoryUserDatabaseFact> > > </GlobalNamingResources> <Service name="Catalina"> > > <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" > > redirectPort="8443" maxParameterCount="1000" maxPartCount="1000"/> > > <Engine name="Catalina" defaultHost="localhost"> > > <Realm className="org.apache.catalina.realm.LockOutRealm"> > > <Realm > > className="org.apache.catalina.realm.UserDatabaseRealm" > > resourceName="UserDatabase"/> </Realm> > > <Host name="localhost" appBase="webapps" unpackWARs="true" > > autoDeploy="true"> <Valve > > className="org.apache.catalina.valves.AccessLogValve" directory="logs" > > prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t > > "%r" %s %b"/> </Host> > > </Engine> </Service></Server>* > > > > Thanks! > > > > > > -- > > *TheVegCat.com <https://thevegcat.com/>* > > *VegCook.net <https://vegcook.net/>* > > *horvoje.net <https://horvoje.net/>* >
