I'm trying to leverage spring security's built in CSRF protection. These are the spring versions i'm using:

Spring Framework version - 4.2.1

Spring security - 4.0.2

The spring security documentation mentions that the login page must also be protected against CSRF attacks. I see that my login does not work when i enable CSRF protection (and no token is passed) - as expected.

My login page is a pure HTML page (not a JSP) and i cannot make use of any Spring or JSTL tags. I'm thinking about implementing a solution similar to the one described here -

With Spring Security 3.2.0.RELEASE, how can I get the CSRF token in a page that is purely HTML with no tag libs

The solution as explained in the above link(the author's blog linked in the comment to the accepted answer) is to make a AJAX call on the login page that will get the value of the CSRF token and to then include it in the login request

However, the spring documentation also mentions that a new HttpSession will be created as soon as the csrfToken is accessed. I have a couple of concerns-

1. My ajax call to get the csrf token will not be secured since i have to invoke it before the login.

2. The fact that a new HttpSession is generated as soon as the CSRF token is accessed is also cause for concern given that the ajax call is not secured.

The rest of the application only makes AJAX or REST calls and I plan on implementing client interceptors to include the CSRF token in the header once the user is logged in.(As i understand it, there is one CsrfToken for the user session)

Does anyone have an idea on securing a purely HTML login page with spring's CSRF protection?

1) If you study about the CSRF vulnerability closely, you'll find that there would be no loophole in getting the token through a GET request.

2) After login/logout etc, when a new session is created, the token will change, and you may need to fetch it again. It's discussed more in this post.

Spring Lemon's source code would be a good reference on how to use AJAX+CSRF. See also this official guide.