In spring security bydefault the csrf protect in on. As a result it asks for token during login and other requests. Although its not a good practise to disable the protection but we can do it. As we can see in the code below, http.csrf().disable() , it will disable it. If this line will be omitted it will be enabled.

@Configuration
@EnableWebSecurity
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {

    @Autowired
    @Qualifier("userDetailsService") // user defined service with service name "userDetailsService"
    private UserDetailsService userDetailsService;

    @Autowired
    public void configureGlobalSecurity(AuthenticationManagerBuilder auth) throws Exception {

     //password in encrypted in md5format
        auth.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder()); 
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {

      http
        .csrf().disable()
        .authorizeRequests()
        .antMatchers("/", "/homepage/**").permitAll()
        .antMatchers("/admin/**").access("hasRole('ROLE_ADMIN')")
        .antMatchers("/db/**").access("hasRole('ROLE_ADMIN') and hasRole('DBA')")
        .and().formLogin().loginPage("/login").successHandler(loginSuccessHandler)
        .usernameParameter("username").passwordParameter("password");
    }


    @Bean
    public Md5PasswordEncoder passwordEncoder() throws Exception {
      return new Md5PasswordEncoder();
    }
}