Hi, You could use global Ajax listener that adds the CSRF token to all Ajax requests. In YourApp#init() method do: getAjaxRequestTargetListeners().add(new AjaxRequestTarget.AbstractListener() { @Override public void updateAjaxAttributes(AbstractDefaultAjaxBehavior behavior, AjaxRequestAttributes attributes) { if (attributes.getMethod() == Method.POST) { attributes.getExtraParameters().put("CSRF-TOKEN", theTokenTakenFromSpringSecurity); } } })
I am not sure where Spring Security looks for the token in a request. If it is not possible via request parameter then you can use AjaxCallListener#beforeSend() to put it in the headers. Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Wed, Oct 5, 2016 at 10:53 AM, mr <maliros1...@gmail.com> wrote: > hi, > > If I remove <sec:csrf disabled="true"/> tag(because I need csrf protection > in my app) > I'm getting exception when pressing the button in my login page: > "Wicket.Ajax.Call.failure: Error while parsing response: Could not verify > the provided CSRF token because your session was not found" > Wicket version-6.24.0 > Spring-security version- 4.1.3 > > Can someone help me? > > -- > View this message in context: http://apache-wicket.1842946. > n4.nabble.com/Wicket-Spring-4-integration-tp4672031p4675645.html > Sent from the Users forum mailing list archive at Nabble.com. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org > For additional commands, e-mail: users-h...@wicket.apache.org > >