diff --git a/docs/modules/ROOT/pages/migration/servlet/exploits.adoc b/docs/modules/ROOT/pages/migration/servlet/exploits.adoc index 0e41a8a263..379c1f83ac 100644 --- a/docs/modules/ROOT/pages/migration/servlet/exploits.adoc +++ b/docs/modules/ROOT/pages/migration/servlet/exploits.adoc @@ -243,3 +243,65 @@ open fun springSecurity(http: HttpSecurity): SecurityFilterChain { ==== I need to opt out of CSRF BREACH protection for another reason If CSRF BREACH protection does not work for you for another reason, you can opt out using the configuration from the <> section. + +== CSRF BREACH with WebSocket support + +If the steps for <> work for normal HTTP requests and you are using xref:servlet/integrations/websocket.adoc[WebSocket Security] support, then you can also opt into Spring Security 6's default support for BREACH protection of the `CsrfToken` with xref:servlet/integrations/websocket.adoc#websocket-sameorigin-csrf[Stomp headers]. + +.WebSocket Security BREACH Protection +==== +.Java +[source,java,role="primary"] +---- +@Bean +ChannelInterceptor csrfChannelInterceptor() { + return new XorCsrfChannelInterceptor(); +} +---- + +.Kotlin +[source,kotlin,role="secondary"] +---- +@Bean +open fun csrfChannelInterceptor(): ChannelInterceptor { + return XorCsrfChannelInterceptor() +} +---- + +.XML +[source,xml,role="secondary"] +---- + +---- +==== + +If configuring CSRF BREACH protection for WebSocket Security gives you trouble, you can configure the 5.8 default using the following configuration: + +.Configure WebSocket Security with 5.8 default +==== +.Java +[source,java,role="primary"] +---- +@Bean +ChannelInterceptor csrfChannelInterceptor() { + return new CsrfChannelInterceptor(); +} +---- + +.Kotlin +[source,kotlin,role="secondary"] +---- +@Bean +open fun csrfChannelInterceptor(): ChannelInterceptor { + return CsrfChannelInterceptor() +} +---- + +.XML +[source,xml,role="secondary"] +---- + +---- +====