1. Do not configure in the WebSecurityConfigurerAdapter configuration class (csrf is on by default)
//.and().csrf().disable(); /* 关闭csrf防护 */
2. Add a hidden domain to the login page to record csrftoken (used for thymeleaf template engine)
<input type="hidden" th:if="${_csrf}!=null" th:value="${_csrf.token}" name="_csrf">