From 3cb2b0606ea3f81ff7363228f4914e61ba723b33 Mon Sep 17 00:00:00 2001 From: Steve Riesenberg Date: Wed, 16 Nov 2022 16:41:14 -0600 Subject: [PATCH 1/2] Document deprecation of tokenFromMultipartDataEnabled Issue gh-12020 --- .../ROOT/pages/migration/reactive.adoc | 78 +++++++++++++++++++ 1 file changed, 78 insertions(+) diff --git a/docs/modules/ROOT/pages/migration/reactive.adoc b/docs/modules/ROOT/pages/migration/reactive.adoc index 7039340bb8..8c9696733c 100644 --- a/docs/modules/ROOT/pages/migration/reactive.adoc +++ b/docs/modules/ROOT/pages/migration/reactive.adoc @@ -2,6 +2,84 @@ If you have already performed the xref:migration/index.adoc[initial migration steps] for your Reactive application, you're now ready to perform steps specific to Reactive applications. +== Exploit Protection Migrations + +The following steps relate to changes around how to configure CSRF. + +=== Configure `tokenFromMultipartDataEnabled` + +In Spring Security 5.8, the method `tokenFromMultipartDataEnabled` was deprecated in favor of `ServerCsrfTokenRequestAttributeHandler#setTokenFromMultipartDataEnabled`. + +To address the deprecation, the following code: + +.Configure `tokenFromMultipartDataEnabled` with DSL +==== +.Java +[source,java,role="primary"] +---- +@Bean +SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) { + http + // ... + .csrf((csrf) -> csrf + .tokenFromMultipartDataEnabled(true) + ); + return http.build(); +} +---- + +.Kotlin +[source,kotlin,role="secondary"] +---- +@Bean +open fun securityWebFilterChain(http: HttpSecurity): SecurityWebFilterChain { + return http { + // ... + csrf { + tokenFromMultipartDataEnabled = true + } + } +} +---- +==== + +can be replaced with: + +.Configure `tokenFromMultipartDataEnabled` with `ServerCsrfTokenRequestAttributeHandler` +==== +.Java +[source,java,role="primary"] +---- +@Bean +SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) { + ServerCsrfTokenRequestAttributeHandler requestHandler = new ServerCsrfTokenRequestAttributeHandler(); + requestHandler.setTokenFromMultipartDataEnabled(true); + http + // ... + .csrf((csrf) -> csrf + .csrfTokenRequestHandler(requestHandler) + ); + return http.build(); +} +---- + +.Kotlin +[source,kotlin,role="secondary"] +---- +@Bean +open fun securityWebFilterChain(http: HttpSecurity): SecurityWebFilterChain { + val requestHandler = ServerCsrfTokenRequestAttributeHandler() + requestHandler.tokenFromMultipartDataEnabled = true + return http { + // ... + csrf { + csrfTokenRequestHandler = requestHandler + } + } +} +---- +==== + == Use `AuthorizationManager` for Method Security xref:reactive/authorization/method.adoc[Method Security] has been xref:reactive/authorization/method.adoc#jc-enable-reactive-method-security-authorization-manager[improved] through {security-api-url}org/springframework/security/authorization/AuthorizationManager.html[the `AuthorizationManager` API] and direct use of Spring AOP. From a61fffc20957bb10eb092ff42d1c4294ace6c916 Mon Sep 17 00:00:00 2001 From: Steve Riesenberg Date: Wed, 16 Nov 2022 16:42:15 -0600 Subject: [PATCH 2/2] Document reactive support for CSRF BREACH Issue gh-11959 --- .../ROOT/pages/migration/reactive.adoc | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/docs/modules/ROOT/pages/migration/reactive.adoc b/docs/modules/ROOT/pages/migration/reactive.adoc index 8c9696733c..5c189cfb70 100644 --- a/docs/modules/ROOT/pages/migration/reactive.adoc +++ b/docs/modules/ROOT/pages/migration/reactive.adoc @@ -80,6 +80,45 @@ open fun securityWebFilterChain(http: HttpSecurity): SecurityWebFilterChain { ---- ==== +=== Protect against CSRF BREACH + +You can opt into Spring Security 6's default support for BREACH protection of the `CsrfToken` using the following configuration: + +.`CsrfToken` BREACH Protection +==== +.Java +[source,java,role="primary"] +---- +@Bean +SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) { + XorServerCsrfTokenRequestAttributeHandler requestHandler = new XorServerCsrfTokenRequestAttributeHandler(); + // ... + http + // ... + .csrf((csrf) -> csrf + .csrfTokenRequestHandler(requestHandler) + ); + return http.build(); +} +---- + +.Kotlin +[source,kotlin,role="secondary"] +---- +@Bean +open fun securityWebFilterChain(http: HttpSecurity): SecurityWebFilterChain { + val requestHandler = XorServerCsrfTokenRequestAttributeHandler() + // ... + return http { + // ... + csrf { + csrfTokenRequestHandler = requestHandler + } + } +} +---- +==== + == Use `AuthorizationManager` for Method Security xref:reactive/authorization/method.adoc[Method Security] has been xref:reactive/authorization/method.adoc#jc-enable-reactive-method-security-authorization-manager[improved] through {security-api-url}org/springframework/security/authorization/AuthorizationManager.html[the `AuthorizationManager` API] and direct use of Spring AOP.