HTTP Status 403 – Invalid CSRF Token 'null' was found on the request parameter

All we need is an easy explanation of the problem, so here it is.

I have to issue a HTTP.Post (Android App) to my restful service, to register a new user!

The problem is, when I try to issue a request to a register endpoint ( without security ), Spring keeps blocking me!

My Project Dependencies


Spring Security

<beans:beans xmlns=""
    xmlns:beans="" xmlns:xsi=""

<!--this is the register endpoint-->
<http security="none" pattern="/webapi/cadastro**"/>

    <http auto-config="true" use-expressions="true">
                <intercept-url pattern="/webapi/dados**"
            access="hasAnyRole('ROLE_USER','ROLE_SYS')" />
        <intercept-url pattern="/webapi/system**"
            access="hasRole('ROLE_SYS')" />

<!--        <access-denied-handler error-page="/negado" /> -->
        <form-login login-page="/home/" default-target-url="/webapi/"
            authentication-failure-url="/home?error" username-parameter="username"
            password-parameter="password" />
        <logout logout-success-url="/home?logout" />        
        <csrf token-repository-ref="csrfTokenRepository" />

            <password-encoder hash="md5" />
            <jdbc-user-service data-source-ref="dataSource"
                users-by-username-query="SELECT username, password, ativo
                   FROM usuarios 
                  WHERE username = ?"
                authorities-by-username-query="SELECT u.username, r.role
                   FROM usuarios_roles r, usuarios u
                  WHERE = r.usuario_id
                    AND u.username = ?" />

    <beans:bean id="csrfTokenRepository"
        <beans:property name="headerName" value="X-XSRF-TOKEN" />



@RequestMapping(value="/webapi/cadastro", produces="application/json")
public class CadastroController {
    UsuarioService usuarioService;

    Usuario u = new Usuario();

    public String register() {
        // this.usuarioService.insert(usuario);
        // usuario.setPassword(HashMD5.criptar(usuario.getPassword()));
        return "teste";

JS Post ( Angular )

$'/webapi/cadastro/novo').success(function(data) {
         }).error(function(data) {

And the error

HTTP Status 403 - Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-XSRF-TOKEN'.</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-XSRF-TOKEN'

— Solution —

Implemented a filter to attach my X-XSRF-TOKEN to every request header

public class CsrfHeaderFilter extends OncePerRequestFilter {
  protected void doFilterInternal(HttpServletRequest request,
      HttpServletResponse response, FilterChain filterChain)
      throws ServletException, IOException {
    CsrfToken csrf = (CsrfToken) request.getAttribute(CsrfToken.class
    if (csrf != null) {
      Cookie cookie = WebUtils.getCookie(request, "XSRF-TOKEN");
      String token = csrf.getToken();
      if (cookie==null || token!=null && !token.equals(cookie.getValue())) {
        cookie = new Cookie("XSRF-TOKEN", token);
    filterChain.doFilter(request, response);

Added a mapping to this filter to the web.xml and done!

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

In your code above, I can’t see something which would pass the CSRF token to the client (which is automatic if you use JSP etc.).

A popular practice for this is to code a filter to attach the CSRF token as a cookie. Your client then sends a GET request first to fetch that cookie. For the subsequent requests, that cookie is then sent back as a header.

Whereas the official Spring Angular guide explains it in details, you can refer to Spring Lemon for a complete working example.

For sending the cookie back as a header, you may need to write some code. AngularJS by default does that (unless you are sending cross-domain requests), but here is an example, if it would help in case your client doesn’t:

  .factory('XSRFInterceptor', function ($cookies, $log) {

    var XSRFInterceptor = {

      request: function(config) {

        var token = $cookies.get('XSRF-TOKEN');

        if (token) {
          config.headers['X-XSRF-TOKEN'] = token;
          $"X-XSRF-TOKEN: " + token);

        return config;
    return XSRFInterceptor;

angular.module('appBoot', ['ngCookies', 'ngMessages', 'ui.bootstrap', 'vcRecaptcha'])
    .config(['$httpProvider', function ($httpProvider) {

      $httpProvider.defaults.withCredentials = true;


Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply