From the Spring Security documentation

CSRF protection is enabled by default with Java configuration. If you would like to disable CSRF, the corresponding Java configuration can be seen below. Refer to the Javadoc of csrf() for additional customizations in how CSRF protection is configured.

And, when CSRF protection is enabled

The last step is to ensure that you include the CSRF token in all PATCH, POST, PUT, and DELETE methods.

In your case:

• you have CSRF protection enabled by default (because you are using Java configuration),
• you are submitting the login form using an HTTP POST and
• are not including the CSRF token in the login form. For this reason, your login request is denied upon submission because the CSRF protection filter cannot find the CSRF token in the incoming request.

You have already determined the possible solutions:

1. Disable CSRF protection as http.csrf().disable(); or
2. Include the CSRF token in the login form as a hidden parameter.

Since you are using Thymeleaf, you will have to do something like the following in your HTML template for the login page:

<form name="f" th:action="@{/login}" method="post">

  <fieldset>

    <input type="hidden"

           th:name="${_csrf.parameterName}"

           th:value="${_csrf.token}" />

    ...

  </fieldset>

</form>

Note that you must use th:action and not HTML action as the Thymeleaf CSRF processor will kick-in only with the former.

You could change the form submission method to GET just to get over the problem but that isn't recommended since the users are going to submit sensitive information in the form.

I typically create a Thymeleaf fragment that is then used in all pages with forms to generate the markup for the forms with the CSRF token included. This reduces boilerplate code across the app.