Using AngularJS with SpringSecurity3.2 for CSRF

All we need is an easy explanation of the problem, so here it is.



    <meta name="_csrf" content="${_csrf.token}"/>
    <!-- default header name is X-CSRF-TOKEN -->
    <meta name="_csrf_header" content="${_csrf.headerName}"/>

SpringSecurity 3.2

Spring uses HttpSessionCsrfTokenRepository which by default gives header name for CSRF as X-CSRF-TOKEN, however Anuglar convention is X-XSRF-TOKEN

I wanted to extend HttpSessionCsrfTokenRepository and override the header name, but since it is marked final I ended up implementing a custom token repository.

public class CustomCsrfTokenRepository implements CsrfTokenRepository {

  public static final String CSRF_PARAMETER_NAME = "_csrf";

  public static final String CSRF_HEADER_NAME = "X-XSRF-TOKEN";

  private final Map<String, CsrfToken> tokenRepository = new ConcurrentHashMap<>();

  public CustomCsrfTokenRepository() {"Creating {}", CustomCsrfTokenRepository.class.getSimpleName());

  public CsrfToken generateToken(HttpServletRequest request) {
    return new DefaultCsrfToken(CSRF_HEADER_NAME, CSRF_PARAMETER_NAME, createNewToken());

  public void saveToken(CsrfToken token, HttpServletRequest request, HttpServletResponse response) {
    String key = getKey(request);
    if (key == null)

    if (token == null) {
    } else {
      tokenRepository.put(key, token);

  public CsrfToken loadToken(HttpServletRequest request) {
    String key = getKey(request);
    return key == null ? null : tokenRepository.get(key);

  private String getKey(HttpServletRequest request) {
    return request.getHeader("Authorization");

  private String createNewToken() {
    return UUID.randomUUID().toString();

public class SecurityConfig extends WebSecurityConfigurerAdapter {

    private CustomCsrfTokenRepository customCsrfTokenRepository;

        protected void configure(HttpSecurity http) throws Exception {

    //          .addFilterAfter(new CsrfTokenGeneratorFilter(), CsrfFilter.class)

  1. How can I cleanly override the header name instead of creating a custom csrfTokenRepository?

  2. Is there any other configuration changes I need to do for Single Page
    Applications such as AngularJS, as this does not work yet.

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

When using Java configuration for Spring Security, the following should be possible:

  public void configure(final HttpSecurity http) throws Exception
    final HttpSessionCsrfTokenRepository tokenRepository = new HttpSessionCsrfTokenRepository();


The complication is that single-page applications rely on AJAX and including CSRF tokens with AJAX requests is a bit complicated. When using AngularJS, the server should send a session cookie called XSRF-TOKEN upon first request and whenever a user logs in or logs out. AngularJS will then return the value of this cookie in the HTTP header X-XSRF-TOKEN with all requests, which the server can then check.

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply