In non-Thymeleaf projects (in my case pug4j), _csrf is not automatically implemented and included in the template variables. I had some trouble finding how to do it but the solution was in this paragraph:
If these options are not available, you can take advantage of the fact that the
CsrfTokenis exposed as anHttpServletRequestattribute named_csrf. The following example does this with a JSP:
So, that means in your @Controller or in a HandlerInterceptor, inject the _csrf object by using HttpServletRequest.getAttribute("_csrf"):
modelAndView.addObject("_csrf", request.getAttribute("_csrf"));
Leave a Reply