In order to enable CSRF protection, it is necessary to specify this class in a component-scan or register it in the
WEB-INF/spring-context/portlet-application-context.xml descriptor. For example:
<bean id="springSecurityPortletConfigurer" class="com.liferay.portletmvc4spring.security.SpringSecurityPortletConfigurer" />
<bean id="delegatingFilterProxy" class="org.springframework.web.filter.DelegatingFilterProxy">
<property name="targetBeanName" value="springSecurityFilterChain" />
</bean>
It is also necessary to register the
SpringSecurityPortletFilter in the WEB-INF/portlet.xml descriptor. For
example:
<portlet>
<filter>
<filter-name>SpringSecurityPortletFilter</filter-name>
<filter-class>com.liferay.portletmvc4spring.security.SpringSecurityPortletFilter</filter-class>
<lifecycle>ACTION_PHASE</lifecycle>
<lifecycle>RENDER_PHASE</lifecycle>
<lifecycle>RESOURCE_PHASE</lifecycle>
</filter>
<filter-mapping>
<filter-name>SpringSecurityPortletFilter</filter-name>
<portlet-name>portlet1</portlet-name>
</filter-mapping>
</portlet>
Finally, it is necessary to specify the following in the WEB-INF/web.xml descriptor:
<filter>
<filter-name>delegatingFilterProxy</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>delegatingFilterProxy</filter-name>
<url-pattern>/WEB-INF/servlet/view</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
</filter-mapping>