|
|
|
|
@ -0,0 +1,338 @@
|
|
|
|
|
[[webflux-csrf]]
|
|
|
|
|
= Cross Site Request Forgery (CSRF) for WebFlux Environments
|
|
|
|
|
|
|
|
|
|
This section discusses Spring Security's <<csrf,Cross Site Request Forgery (CSRF)>> support for WebFlux environments.
|
|
|
|
|
|
|
|
|
|
[[webflux-csrf-using]]
|
|
|
|
|
== Using Spring Security CSRF Protection
|
|
|
|
|
The steps to using Spring Security's CSRF protection are outlined below:
|
|
|
|
|
|
|
|
|
|
* <<webflux-csrf-idempotent,Use proper HTTP verbs>>
|
|
|
|
|
* <<webflux-csrf-configure,Configure CSRF Protection>>
|
|
|
|
|
* <<webflux-csrf-include,Include the CSRF Token>>
|
|
|
|
|
|
|
|
|
|
[[webflux-csrf-idempotent]]
|
|
|
|
|
=== Use proper HTTP verbs
|
|
|
|
|
The first step to protecting against CSRF attacks is to ensure your website uses proper HTTP verbs.
|
|
|
|
|
This is covered in detail in <<csrf-protection-idempotent,Safe Methods Must be Idempotent>>.
|
|
|
|
|
|
|
|
|
|
[[webflux-csrf-configure]]
|
|
|
|
|
=== Configure CSRF Protection
|
|
|
|
|
The next step is to configure Spring Security's CSRF protection within your application.
|
|
|
|
|
Spring Security's CSRF protection is enabled by default, but you may need to customize the configuration.
|
|
|
|
|
Below are a few common customizations.
|
|
|
|
|
|
|
|
|
|
[[webflux-csrf-configure-custom-repository]]
|
|
|
|
|
==== Custom CsrfTokenRepository
|
|
|
|
|
|
|
|
|
|
By default Spring Security stores the expected CSRF token in the `WebSession` using `WebSessionServerCsrfTokenRepository`.
|
|
|
|
|
There can be cases where users will want to configure a custom `ServerCsrfTokenRepository`.
|
|
|
|
|
For example, it might be desirable to persist the `CsrfToken` in a cookie to <<webflux-csrf-include-ajax-auto,support a JavaScript based application>>.
|
|
|
|
|
|
|
|
|
|
By default the `CookieServerCsrfTokenRepository` will write to a cookie named `XSRF-TOKEN` and read it from a header named `X-XSRF-TOKEN` or the HTTP parameter `_csrf`.
|
|
|
|
|
These defaults come from https://docs.angularjs.org/api/ng/service/$http#cross-site-request-forgery-xsrf-protection[AngularJS]
|
|
|
|
|
|
|
|
|
|
You can configure `CookieCsrfTokenRepository` in Java Configuration using:
|
|
|
|
|
|
|
|
|
|
.Store CSRF Token in a Cookie with Java Configuration
|
|
|
|
|
====
|
|
|
|
|
[source,java]
|
|
|
|
|
-----
|
|
|
|
|
@Bean
|
|
|
|
|
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
|
|
|
|
|
http
|
|
|
|
|
// ...
|
|
|
|
|
.csrf(csrf -> csrf.csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse()))
|
|
|
|
|
return http.build();
|
|
|
|
|
}
|
|
|
|
|
-----
|
|
|
|
|
====
|
|
|
|
|
|
|
|
|
|
[NOTE]
|
|
|
|
|
====
|
|
|
|
|
The sample explicitly sets `cookieHttpOnly=false`.
|
|
|
|
|
This is necessary to allow JavaScript (i.e. AngularJS) to read it.
|
|
|
|
|
If you do not need the ability to read the cookie with JavaScript directly, it is recommended to omit `cookieHttpOnly=false` (by using `new CookieServerCsrfTokenRepository()` instead) to improve security.
|
|
|
|
|
====
|
|
|
|
|
|
|
|
|
|
[[webflux-csrf-configure-disable]]
|
|
|
|
|
==== Disable CSRF Protection
|
|
|
|
|
CSRF protection is enabled by default.
|
|
|
|
|
However, it is simple to disable CSRF protection if it <<csrf-when,makes sense for your application>>.
|
|
|
|
|
|
|
|
|
|
The Java configuration below will disable CSRF protection.
|
|
|
|
|
|
|
|
|
|
.Disable CSRF Java Configuration
|
|
|
|
|
====
|
|
|
|
|
[source,java]
|
|
|
|
|
----
|
|
|
|
|
@Bean
|
|
|
|
|
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
|
|
|
|
|
http
|
|
|
|
|
// ...
|
|
|
|
|
.csrf(csrf -> csrf.disable()))
|
|
|
|
|
return http.build();
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
====
|
|
|
|
|
|
|
|
|
|
[[webflux-csrf-include]]
|
|
|
|
|
=== Include the CSRF Token
|
|
|
|
|
|
|
|
|
|
In order for the <<csrf-protection-stp,synchronizer token pattern>> to protect against CSRF attacks, we must include the actual CSRF token in the HTTP request.
|
|
|
|
|
This must be included in a part of the request (i.e. form parameter, HTTP header, etc) that is not automatically included in the HTTP request by the browser.
|
|
|
|
|
|
|
|
|
|
Spring Security's https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/CsrfWebFilter.html[CsrfWebFilter] exposes a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfToken.html[Mono<CsrfToken>] as a `ServerWebExchange` attribute named `org.springframework.security.web.server.csrf.CsrfToken`.
|
|
|
|
|
This means that any view technology can access the `Mono<CsrfToken>` to expose the expected token as either a <<webflux-csrf-include-form-attr,form>> or <<webflux-csrf-include-ajax-meta-attr,meta tag>>.
|
|
|
|
|
|
|
|
|
|
[[webflux-csrf-include-subscribe]]
|
|
|
|
|
If your view technology does not provide a simple way to subscribe to the `Mono<CsrfToken>`, a common pattern is to use Spring's `@ControllerAdvice` to expose the `CsrfToken` directly.
|
|
|
|
|
For example, the following code will place the `CsrfToken` on the default attribute name (`_csrf`) used by Spring Security's <<webflux-csrf-include-form-auto,CsrfRequestDataValueProcessor>> to automatically include the CSRF token as a hidden input.
|
|
|
|
|
|
|
|
|
|
.`CsrfToken` as `@ModelAttribute`
|
|
|
|
|
====
|
|
|
|
|
[source,java]
|
|
|
|
|
----
|
|
|
|
|
@ControllerAdvice
|
|
|
|
|
public class SecurityControllerAdvice {
|
|
|
|
|
@ModelAttribute
|
|
|
|
|
Mono<CsrfToken> csrfToken(ServerWebExchange exchange) {
|
|
|
|
|
Mono<CsrfToken> csrfToken = exchange.getAttribute(CsrfToken.class.getName());
|
|
|
|
|
return csrfToken.doOnSuccess(token -> exchange.getAttributes()
|
|
|
|
|
.put(CsrfRequestDataValueProcessor.DEFAULT_CSRF_ATTR_NAME, token));
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
====
|
|
|
|
|
|
|
|
|
|
Fortunately, Thymeleaf provides <<webflux-csrf-include-form-auto,integration>> that works without any additional work.
|
|
|
|
|
|
|
|
|
|
[[webflux-csrf-include-form]]
|
|
|
|
|
==== Form URL Encoded
|
|
|
|
|
In order to post an HTML form the CSRF token must be included in the form as a hidden input.
|
|
|
|
|
For example, the rendered HTML might look like:
|
|
|
|
|
|
|
|
|
|
.CSRF Token HTML
|
|
|
|
|
====
|
|
|
|
|
[source,html]
|
|
|
|
|
----
|
|
|
|
|
<input type="hidden"
|
|
|
|
|
name="_csrf"
|
|
|
|
|
value="4bfd1575-3ad1-4d21-96c7-4ef2d9f86721"/>
|
|
|
|
|
----
|
|
|
|
|
====
|
|
|
|
|
|
|
|
|
|
Next we will discuss various ways of including the CSRF token in a form as a hidden input.
|
|
|
|
|
|
|
|
|
|
[[webflux-csrf-include-form-auto]]
|
|
|
|
|
===== Automatic CSRF Token Inclusion
|
|
|
|
|
|
|
|
|
|
Spring Security's CSRF support provides integration with Spring's https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/reactive/result/view/RequestDataValueProcessor.html[RequestDataValueProcessor] via its https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/reactive/result/view/CsrfRequestDataValueProcessor.html[CsrfRequestDataValueProcessor].
|
|
|
|
|
In order for `CsrfRequestDataValueProcessor` to work, the `Mono<CsrfToken>` must be subscribed to and the `CsrfToken` must be <<webflux-csrf-include-subscribe,exposed as an attribute>> that matches https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/reactive/result/view/CsrfRequestDataValueProcessor.html#DEFAULT_CSRF_ATTR_NAME[DEFAULT_CSRF_ATTR_NAME].
|
|
|
|
|
|
|
|
|
|
Fortunately, Thymleaf https://www.thymeleaf.org/doc/tutorials/2.1/thymeleafspring.html#integration-with-requestdatavalueprocessor[provides support] to take care of all the boilerplate for you by integrating with `RequestDataValueProcessor` to ensure that forms that have an unsafe HTTP method (i.e. post) will automatically include the actual CSRF token.
|
|
|
|
|
|
|
|
|
|
[[webflux-csrf-include-form-attr]]
|
|
|
|
|
===== CsrfToken Request Attribute
|
|
|
|
|
|
|
|
|
|
If the <<webflux-csrf-include,other options>> for including the actual CSRF token in the request do not work, you can take advantage of the fact that the `Mono<CsrfToken>` <<webflux-csrf-include,is exposed>> as a `ServerWebExchange` attribute named `org.springframework.security.web.server.csrf.CsrfToken`.
|
|
|
|
|
|
|
|
|
|
The Thymeleaf sample below assumes that you <<webflux-csrf-include-subscribe,expose>> the `CsrfToken` on an attribute named `_csrf`.
|
|
|
|
|
|
|
|
|
|
.CSRF Token in Form with Request Attribute
|
|
|
|
|
====
|
|
|
|
|
[source,html]
|
|
|
|
|
----
|
|
|
|
|
<form th:action="@{/logout}"
|
|
|
|
|
method="post">
|
|
|
|
|
<input type="submit"
|
|
|
|
|
value="Log out" />
|
|
|
|
|
<input type="hidden"
|
|
|
|
|
th:name="${_csrf.parameterName}"
|
|
|
|
|
th:value="${_csrf.token}"/>
|
|
|
|
|
</form>
|
|
|
|
|
----
|
|
|
|
|
====
|
|
|
|
|
|
|
|
|
|
[[webflux-csrf-include-ajax]]
|
|
|
|
|
==== Ajax and JSON Requests
|
|
|
|
|
If you are using JSON, then it is not possible to submit the CSRF token within an HTTP parameter.
|
|
|
|
|
Instead you can submit the token within a HTTP header.
|
|
|
|
|
|
|
|
|
|
In the following sections we will discuss various ways of including the CSRF token as an HTTP request header in JavaScript based applications.
|
|
|
|
|
|
|
|
|
|
[[webflux-csrf-include-ajax-auto]]
|
|
|
|
|
===== Automatic Inclusion
|
|
|
|
|
|
|
|
|
|
Spring Security can easily be <<webflux-csrf-configure-custom-repository,configured>> to store the expected CSRF token in a cookie.
|
|
|
|
|
By storing the expected CSRF in a cookie, JavaScript frameworks like https://docs.angularjs.org/api/ng/service/$http#cross-site-request-forgery-xsrf-protection[AngularJS] will automatically include the actual CSRF token in the HTTP request headers.
|
|
|
|
|
|
|
|
|
|
[[webflux-csrf-include-ajax-meta]]
|
|
|
|
|
===== Meta tags
|
|
|
|
|
|
|
|
|
|
An alternative pattern to <<webflux-csrf-include-form-auto,exposing the CSRF in a cookie>> is to include the CSRF token within your `meta` tags.
|
|
|
|
|
The HTML might look something like this:
|
|
|
|
|
|
|
|
|
|
.CSRF meta tag HTML
|
|
|
|
|
====
|
|
|
|
|
[source,html]
|
|
|
|
|
----
|
|
|
|
|
<html>
|
|
|
|
|
<head>
|
|
|
|
|
<meta name="_csrf" content="4bfd1575-3ad1-4d21-96c7-4ef2d9f86721"/>
|
|
|
|
|
<meta name="_csrf_header" content="X-CSRF-TOKEN"/>
|
|
|
|
|
<!-- ... -->
|
|
|
|
|
</head>
|
|
|
|
|
<!-- ... -->
|
|
|
|
|
----
|
|
|
|
|
====
|
|
|
|
|
|
|
|
|
|
Once the meta tags contained the CSRF token, the JavaScript code would read the meta tags and include the CSRF token as a header.
|
|
|
|
|
If you were using jQuery, this could be done with the following:
|
|
|
|
|
|
|
|
|
|
.AJAX send CSRF Token
|
|
|
|
|
====
|
|
|
|
|
[source,javascript]
|
|
|
|
|
----
|
|
|
|
|
$(function () {
|
|
|
|
|
var token = $("meta[name='_csrf']").attr("content");
|
|
|
|
|
var header = $("meta[name='_csrf_header']").attr("content");
|
|
|
|
|
$(document).ajaxSend(function(e, xhr, options) {
|
|
|
|
|
xhr.setRequestHeader(header, token);
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
----
|
|
|
|
|
====
|
|
|
|
|
|
|
|
|
|
The sample below assumes that you <<webflux-csrf-include-subscribe,expose>> the `CsrfToken` on an attribute named `_csrf`.
|
|
|
|
|
An example of doing this with Thymeleaf is shown below:
|
|
|
|
|
|
|
|
|
|
.CSRF meta tag JSP
|
|
|
|
|
====
|
|
|
|
|
[source,html]
|
|
|
|
|
----
|
|
|
|
|
<html>
|
|
|
|
|
<head>
|
|
|
|
|
<meta name="_csrf" th:content="${_csrf.token}"/>
|
|
|
|
|
<!-- default header name is X-CSRF-TOKEN -->
|
|
|
|
|
<meta name="_csrf_header" th:content="${_csrf.headerName}"/>
|
|
|
|
|
<!-- ... -->
|
|
|
|
|
</head>
|
|
|
|
|
<!-- ... -->
|
|
|
|
|
----
|
|
|
|
|
====
|
|
|
|
|
|
|
|
|
|
[[webflux-csrf-considerations]]
|
|
|
|
|
== CSRF Considerations
|
|
|
|
|
There are a few special considerations to consider when implementing protection against CSRF attacks.
|
|
|
|
|
This section discusses those considerations as it pertains to WebFlux environments.
|
|
|
|
|
Refer to <<csrf-considerations>> for a more general discussion.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[[webflux-considerations-csrf-login]]
|
|
|
|
|
=== Logging In
|
|
|
|
|
|
|
|
|
|
It is important to <<csrf-considerations-login,require CSRF for log in>> requests to protect against forging log in attempts.
|
|
|
|
|
Spring Security's WebFlux support does this out of the box.
|
|
|
|
|
|
|
|
|
|
[[webflux-considerations-csrf-logout]]
|
|
|
|
|
=== Logging Out
|
|
|
|
|
|
|
|
|
|
It is important to <<csrf-considerations-logout,require CSRF for log out>> requests to protect against forging log out attempts.
|
|
|
|
|
By default Spring Security's `LogoutWebFilter` only processes HTTP post requests.
|
|
|
|
|
This ensures that log out requires a CSRF token and that a malicious user cannot forcibly log out your users.
|
|
|
|
|
|
|
|
|
|
The easiest approach is to use a form to log out.
|
|
|
|
|
If you really want a link, you can use JavaScript to have the link perform a POST (i.e. maybe on a hidden form).
|
|
|
|
|
For browsers with JavaScript that is disabled, you can optionally have the link take the user to a log out confirmation page that will perform the POST.
|
|
|
|
|
|
|
|
|
|
If you really want to use HTTP GET with logout you can do so, but remember this is generally not recommended.
|
|
|
|
|
For example, the following Java Configuration will perform logout with the URL `/logout` is requested with any HTTP method:
|
|
|
|
|
|
|
|
|
|
// FIXME: This should be a link to log out documentation
|
|
|
|
|
|
|
|
|
|
.Log out with HTTP GET
|
|
|
|
|
====
|
|
|
|
|
[source,java]
|
|
|
|
|
----
|
|
|
|
|
@Bean
|
|
|
|
|
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
|
|
|
|
|
http
|
|
|
|
|
// ...
|
|
|
|
|
.logout(logout -> logout.requiresLogout(new PathPatternParserServerWebExchangeMatcher("/logout")))
|
|
|
|
|
return http.build();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
====
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[[webflux-considerations-csrf-timeouts]]
|
|
|
|
|
=== CSRF and Session Timeouts
|
|
|
|
|
|
|
|
|
|
By default Spring Security stores the CSRF token in the `WebSession`.
|
|
|
|
|
This can lead to a situation where the session expires which means there is not an expected CSRF token to validate against.
|
|
|
|
|
|
|
|
|
|
We've already discussed <<csrf-considerations-login,general solutions>> to session timeouts.
|
|
|
|
|
This section discusses the specifics of CSRF timeouts as it pertains to the WebFlux support.
|
|
|
|
|
|
|
|
|
|
It is simple to change storage of the expected CSRF token to be in a cookie.
|
|
|
|
|
For details, refer to the <<webflux-csrf-configure-custom-repository>> section.
|
|
|
|
|
|
|
|
|
|
// FIXME: We should add a custom AccessDeniedHandler section in the reference and update the links above
|
|
|
|
|
|
|
|
|
|
// FIXME: We need a WebFlux multipart body vs action story. WebFlux always has multipart enabled.
|
|
|
|
|
[[webflux-csrf-considerations-multipart]]
|
|
|
|
|
=== Multipart (file upload)
|
|
|
|
|
We have <<csrf-considerations-multipart,already discussed>> how protecting multipart requests (file uploads) from CSRF attacks causes a https://en.wikipedia.org/wiki/Chicken_or_the_egg[chicken and the egg] problem.
|
|
|
|
|
This section discusses how to implement placing the CSRF token in the <<webflux-csrf-considerations-multipart-body,body>> and <<webflux-csrf-considerations-multipart-url,url>> within a WebFlux application.
|
|
|
|
|
|
|
|
|
|
[NOTE]
|
|
|
|
|
====
|
|
|
|
|
More information about using multipart forms with Spring can be found within the https://docs.spring.io/spring/docs/5.2.x/spring-framework-reference/web-reactive.html#webflux-multipart[Multipart Data] section of the Spring reference.
|
|
|
|
|
====
|
|
|
|
|
|
|
|
|
|
[[webflux-csrf-considerations-multipart-body]]
|
|
|
|
|
==== Place CSRF Token in the Body
|
|
|
|
|
|
|
|
|
|
We have <<csrf-considerations-multipart,already discussed>> the trade-offs of placing the CSRF token in the body.
|
|
|
|
|
|
|
|
|
|
In a WebFlux application, this can be configured with the following configuration:
|
|
|
|
|
|
|
|
|
|
.Enable obtaining CSRF token from multipart/form-data
|
|
|
|
|
====
|
|
|
|
|
[source,java]
|
|
|
|
|
----
|
|
|
|
|
@Bean
|
|
|
|
|
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
|
|
|
|
|
http
|
|
|
|
|
// ...
|
|
|
|
|
.csrf(csrf -> csrf.tokenFromMultipartDataEnabled(true))
|
|
|
|
|
return http.build();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
====
|
|
|
|
|
|
|
|
|
|
[[webflux-csrf-considerations-multipart-url]]
|
|
|
|
|
==== Include CSRF Token in URL
|
|
|
|
|
|
|
|
|
|
We have <<csrf-considerations-multipart,already discussed>> the trade-offs of placing the CSRF token in the URL.
|
|
|
|
|
Since the `CsrfToken` is exposed as an `ServerHttpRequest` <<webflux-csrf-include,request attribute>>, we can use that to create an `action` with the CSRF token in it.
|
|
|
|
|
An example with Thymeleaf is shown below:
|
|
|
|
|
|
|
|
|
|
.CSRF Token in Action
|
|
|
|
|
====
|
|
|
|
|
[source,html]
|
|
|
|
|
----
|
|
|
|
|
<form method="post"
|
|
|
|
|
th:action="@{/upload(${_csrf.parameterName}=${_csrf.token})}"
|
|
|
|
|
enctype="multipart/form-data">
|
|
|
|
|
----
|
|
|
|
|
====
|
|
|
|
|
|
|
|
|
|
[[webflux-csrf-considerations-override-method]]
|
|
|
|
|
=== HiddenHttpMethodFilter
|
|
|
|
|
We have <<csrf-considerations-override-method,already discussed>> overriding the HTTP method.
|
|
|
|
|
|
|
|
|
|
In a Spring WebFlux application, overriding the HTTP method is done using https://docs.spring.io/spring-framework/docs/5.2.x/javadoc-api/org/springframework/web/filter/reactive/HiddenHttpMethodFilter.html[HiddenHttpMethodFilter].
|
Rob Winch