public class ExampleController extends Controller {
@AddCSRFToken
public Result GET_ShowForm() {
final Form<DemoForm> demoForm = Form.form(DemoForm);
return ok(MyFormView.render(demoForm));
}
@RequireCSRFCheck
public Result POST_ProcessForm() {
final Form<DemoForm> demoForm = Form
.form(DemoForm)
.bindFromRequest();
if (demoForm.hasErrors()) {
return badRequest(MyFormView.render(demoForm)); // On Play 2.5.1 : BOOM / RuntimeException
}
//Do something with form data
return redirect(routes.ExampleController.GET_ShowForm());
}
}
java.util.concurrent.CompletionException: java.lang.RuntimeException: No CSRF token present!
at java.util.concurrent.CompletableFuture.encodeThrowable(CompletableFuture.java:292)
at java.util.concurrent.CompletableFuture.completeThrowable(CompletableFuture.java:308)
at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:593)
at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577)
at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474)
at java.util.concurrent.CompletableFuture.completeExceptionally(CompletableFuture.java:1977)
at scala.concurrent.java8.FuturesConvertersImpl$CF.apply(FutureConvertersImpl.scala:21)
at scala.concurrent.java8.FuturesConvertersImpl$CF.apply(FutureConvertersImpl.scala:18)
at scala.concurrent.impl.CallbackRunnable.run(Promise.scala:32)
at scala.concurrent.BatchingExecutor$Batch$$anonfun$run$1.processBatch$1(BatchingExecutor.scala:63)
Caused by: java.lang.RuntimeException: No CSRF token present!
at scala.sys.package$.error(package.scala:27)
at views.html.helper.CSRF$$anonfun$2.apply(CSRF.scala:29)
at views.html.helper.CSRF$$anonfun$2.apply(CSRF.scala:29)
at scala.Option.getOrElse(Option.scala:121)
at views.html.helper.CSRF$.formField(CSRF.scala:29)
--
You received this message because you are subscribed to the Google Groups "play-framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to play-framewor...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/play-framework/d8e84e29-9798-4ca2-a581-ffa2cb2b6383%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
To view this discussion on the web visit https://groups.google.com/d/msgid/play-framework/CAJmgB60dDtRGE9vJMV7NXkep6AQpifmjXwNmdFHt3d0jUX1%2BFg%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/play-framework/CAGHe3P%3Dg8%3DU1r%3DKHjFbHbAdwoSkYujbkZ3iSm6ipycbzESm7NQ%40mail.gmail.com.
Actually, I think a 500 error is okay, though it might be better if we threw a more useful type of exception. CSRF.getToken gets the server-generated token that should be displayed to the user. If the token is somehow not being generated on the server, then something is not configured properly. It should get a new token regardless of the input from the user.
--
You received this message because you are subscribed to the Google Groups "play-framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to play-framewor...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/play-framework/b76c732a-92b5-42c6-97f0-839d308db0ba%40googlegroups.com.
In this case it is your job as a developer to ensure that a token is present on the server. If you are rendering a form, you should use @CSRFAddToken to ensure a token is generated. The @RequireCSRFCheck just requires a check, so I actually think the OPs code is buggy. But I'm not sure why the behavior changed.
--
You received this message because you are subscribed to the Google Groups "play-framework" group.
To unsubscribe from this group and stop receiving emails from it, send an email to play-framewor...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/play-framework/d651a672-5ba0-44d4-9e17-caa15fcf4b73%40googlegroups.com.
Based on RFC2616, HTTP 500 means "The server encountered an unexpected condition which prevented it from fulfilling the request." I don't think there's a better status code you could return. If the server is rendering a form, it's an "unexpected condition" to not have added that token to the session.
It's a bad request, and it's a client error : It should have send the CSRF token. It's not unexpected : Input can be wrong, or missing stuff. That is expected on the HTTP world.So, in this case, go with a 400. A 500 "unexpected error" is that we screwed up on serverside, because something really bad happened.
It's a bad request, and it's a client error : It should have send the CSRF token. It's not unexpected : Input can be wrong, or missing stuff. That is expected on the HTTP world.So, in this case, go with a 400. A 500 "unexpected error" is that we screwed up on serverside, because something really bad happened.No. The token it's getting in the form helper is the token that the server has generated. If you're using the AddCSRFToken helper, a new session token will be generated so it's available in the request, regardless of what the client has sent. If you're getting that exception, there's either a bug/misconfiguration in your code, or a bug in Play.
In this case it's also possible the CSRF check is not actually being performed. @RequireCSRFCheck only "requires" a check if the CSRF filter configuration tells it to do so. So this exception could happen on a bare request if no check is performed, and it's possible that is happening because of the CSRF configuration changes in 2.5.