Steve Riesenberg
parent
0d4c619648
commit
45b81b194b
|
|
@ -7,8 +7,20 @@ The following steps relate to changes around how to configure CSRF.
|
||||||
In Spring Security 5, the default behavior is that the `CsrfToken` will be loaded on every request.
|
In Spring Security 5, the default behavior is that the `CsrfToken` will be loaded on every request.
|
||||||
This means that in a typical setup, the `HttpSession` must be read for every request even if it is unnecessary.
|
This means that in a typical setup, the `HttpSession` must be read for every request even if it is unnecessary.
|
||||||
|
|
||||||
|
[NOTE]
|
||||||
|
====
|
||||||
|
Some examples of where it should be unnecessary to read the session include endpoints marked `permitAll()` such as static assets, static HTML pages, single-page applications hosted under the same domain/server, etc.
|
||||||
|
====
|
||||||
|
|
||||||
In Spring Security 6, the default is that the lookup of the `CsrfToken` will be deferred until it is needed.
|
In Spring Security 6, the default is that the lookup of the `CsrfToken` will be deferred until it is needed.
|
||||||
|
|
||||||
|
[NOTE]
|
||||||
|
====
|
||||||
|
The `CsrfToken` is needed whenever a request is made with an HTTP verb that would change the state of the application.
|
||||||
|
This is covered in detail in xref:features/exploits/csrf.adoc#csrf-protection-idempotent[Safe Methods Must be Idempotent].
|
||||||
|
Additionally, it is needed by any request that renders the token to the response, such as a web page with a `<form>` tag that includes a hidden `<input>` for the CSRF token.
|
||||||
|
====
|
||||||
|
|
||||||
To opt into the new Spring Security 6 default, the following configuration can be used.
|
To opt into the new Spring Security 6 default, the following configuration can be used.
|
||||||
|
|
||||||
[[servlet-opt-in-defer-loading-csrf-token]]
|
[[servlet-opt-in-defer-loading-csrf-token]]
|
||||||
|
|
@ -18,7 +30,7 @@ To opt into the new Spring Security 6 default, the following configuration can b
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@Bean
|
@Bean
|
||||||
DefaultSecurityFilterChain springSecurity(HttpSecurity http) throws Exception {
|
public SecurityFilterChain springSecurity(HttpSecurity http) throws Exception {
|
||||||
CsrfTokenRequestAttributeHandler requestHandler = new CsrfTokenRequestAttributeHandler();
|
CsrfTokenRequestAttributeHandler requestHandler = new CsrfTokenRequestAttributeHandler();
|
||||||
// set the name of the attribute the CsrfToken will be populated on
|
// set the name of the attribute the CsrfToken will be populated on
|
||||||
requestHandler.setCsrfRequestAttributeName("_csrf");
|
requestHandler.setCsrfRequestAttributeName("_csrf");
|
||||||
|
|
@ -61,7 +73,156 @@ open fun springSecurity(http: HttpSecurity): SecurityFilterChain {
|
||||||
----
|
----
|
||||||
====
|
====
|
||||||
|
|
||||||
If this breaks your application, then you can explicitly opt into the 5.8 defaults using the following configuration:
|
[NOTE]
|
||||||
|
====
|
||||||
|
When the `CsrfToken` is deferred (the default in Spring Security 6), some applications may break due to the fact that they were designed with non-deferred CSRF tokens.
|
||||||
|
See <<servlet-defer-loading-csrf-token-opt-out,Opt-out Steps>> below for more information.
|
||||||
|
====
|
||||||
|
|
||||||
|
[[servlet-defer-loading-csrf-token-opt-out]]
|
||||||
|
=== Opt-out Steps
|
||||||
|
|
||||||
|
If configuring the `CsrfToken` to be deferred gives you trouble, take a look at these scenarios for optimal opt out behavior:
|
||||||
|
|
||||||
|
==== I am using a Single-Page Application with `CookieCsrfTokenRepository`
|
||||||
|
|
||||||
|
If you are using a single-page app (SPA) to connect to a backend protected by Spring Security along with `CookieCsrfTokenRepository.withHttpOnlyFalse()`, you may find that the CSRF token is no longer returned to your application as a cookie on the first request to the server.
|
||||||
|
|
||||||
|
In this case, you have several options for restoring the behavior your client-side application expects.
|
||||||
|
One option is to add a `Filter` that eagerly renders the `CsrfToken` to the response regardless of which request is made first, like so:
|
||||||
|
|
||||||
|
.Add a `Filter` to return a cookie on the response
|
||||||
|
====
|
||||||
|
.Java
|
||||||
|
[source,java,role="primary"]
|
||||||
|
----
|
||||||
|
@Bean
|
||||||
|
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||||
|
CookieCsrfTokenRepository tokenRepository = CookieCsrfTokenRepository.withHttpOnlyFalse();
|
||||||
|
CsrfTokenRequestAttributeHandler requestHandler = new CsrfTokenRequestAttributeHandler();
|
||||||
|
// set the name of the attribute the CsrfToken will be populated on
|
||||||
|
requestHandler.setCsrfRequestAttributeName("_csrf");
|
||||||
|
http
|
||||||
|
// ...
|
||||||
|
.csrf((csrf) -> csrf
|
||||||
|
.csrfTokenRepository(tokenRepository)
|
||||||
|
.csrfTokenRequestHandler(requestHandler)
|
||||||
|
)
|
||||||
|
.addFilterAfter(new CsrfCookieFilter(), BasicAuthenticationFilter.class);
|
||||||
|
|
||||||
|
return http.build();
|
||||||
|
}
|
||||||
|
|
||||||
|
private static final class CsrfCookieFilter extends OncePerRequestFilter {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
|
||||||
|
throws ServletException, IOException {
|
||||||
|
CsrfToken csrfToken = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
|
||||||
|
// Render the token value to a cookie by causing the deferred token to be loaded
|
||||||
|
csrfToken.getToken();
|
||||||
|
|
||||||
|
filterChain.doFilter(request, response);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
----
|
||||||
|
|
||||||
|
.Kotlin
|
||||||
|
[source,kotlin,role="secondary"]
|
||||||
|
----
|
||||||
|
@Bean
|
||||||
|
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
|
val tokenRepository = CookieCsrfTokenRepository.withHttpOnlyFalse()
|
||||||
|
val requestHandler = CsrfTokenRequestAttributeHandler()
|
||||||
|
// set the name of the attribute the CsrfToken will be populated on
|
||||||
|
requestHandler.setCsrfRequestAttributeName("_csrf")
|
||||||
|
http {
|
||||||
|
csrf {
|
||||||
|
csrfTokenRepository = tokenRepository
|
||||||
|
csrfTokenRequestHandler = requestHandler
|
||||||
|
}
|
||||||
|
addFilterAfter<BasicAuthenticationFilter>(CsrfCookieFilter())
|
||||||
|
}
|
||||||
|
return http.build()
|
||||||
|
}
|
||||||
|
|
||||||
|
class CsrfCookieFilter : OncePerRequestFilter() {
|
||||||
|
|
||||||
|
override fun doFilterInternal(request: HttpServletRequest, response: HttpServletResponse, filterChain: FilterChain) {
|
||||||
|
val csrfToken = request.getAttribute(CsrfToken::class.java.name) as CsrfToken
|
||||||
|
// Render the token value to a cookie by causing the deferred token to be loaded
|
||||||
|
csrfToken.token
|
||||||
|
|
||||||
|
filterChain.doFilter(request, response)
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
----
|
||||||
|
====
|
||||||
|
|
||||||
|
The option above does not require changes to the single-page application, but does cause the `CsrfToken` to be loaded on every request.
|
||||||
|
If you do not wish to add a `Filter` to eagerly load tokens on every request, additional options are listed below.
|
||||||
|
|
||||||
|
==== I am using a Single-Page Application with `HttpSessionCsrfTokenRepository`
|
||||||
|
|
||||||
|
If you are using sessions, your application will benefit from deferred tokens.
|
||||||
|
Instead of opting out, another option is to add a new `@RestController` with a `/csrf` endpoint, like so:
|
||||||
|
|
||||||
|
.Add a `/csrf` endpoint
|
||||||
|
====
|
||||||
|
.Java
|
||||||
|
[source,java,role="primary"]
|
||||||
|
----
|
||||||
|
@RestController
|
||||||
|
public class CsrfController {
|
||||||
|
|
||||||
|
@GetMapping("/csrf")
|
||||||
|
public CsrfToken csrf(CsrfToken csrfToken) {
|
||||||
|
return csrfToken;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
----
|
||||||
|
|
||||||
|
.Kotlin
|
||||||
|
[source,kotlin,role="secondary"]
|
||||||
|
----
|
||||||
|
@RestController
|
||||||
|
class CsrfController {
|
||||||
|
|
||||||
|
@GetMapping("/csrf")
|
||||||
|
fun csrf(csrfToken: CsrfToken): CsrfToken {
|
||||||
|
return csrfToken
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
----
|
||||||
|
====
|
||||||
|
|
||||||
|
[NOTE]
|
||||||
|
====
|
||||||
|
You may consider adding `.requestMatchers("/csrf").permitAll()` if the endpoint above is required prior to authenticating with the server.
|
||||||
|
====
|
||||||
|
|
||||||
|
The `/csrf` endpoint would need to be consumed by the client-side application in order to bootstrap the application for subsequent requests.
|
||||||
|
|
||||||
|
[NOTE]
|
||||||
|
====
|
||||||
|
Instructions for calling the `/csrf` endpoint on application launch are specific to your client-side framework and therefore outside the scope of this document.
|
||||||
|
====
|
||||||
|
|
||||||
|
[NOTE]
|
||||||
|
====
|
||||||
|
While this requires changes to your single-page application, the benefit is that the CSRF token is only loaded once and the token can continue to be deferred.
|
||||||
|
This approach works particularly well with applications that use `HttpSessionCsrfTokenRepository` and do benefit from deferred tokens by allowing the `HttpSession` not to be read on every request.
|
||||||
|
====
|
||||||
|
|
||||||
|
If you simply wish to opt out of deferred tokens altogether, that option is listed next.
|
||||||
|
|
||||||
|
==== I need to opt out of deferred tokens for another reason
|
||||||
|
|
||||||
|
If deferred tokens break your application for another reason, then you can explicitly opt into the 5.8 defaults using the following configuration:
|
||||||
|
|
||||||
.Explicit Configure `CsrfToken` with 5.8 Defaults
|
.Explicit Configure `CsrfToken` with 5.8 Defaults
|
||||||
====
|
====
|
||||||
|
|
@ -69,7 +230,7 @@ If this breaks your application, then you can explicitly opt into the 5.8 defaul
|
||||||
[source,java,role="primary"]
|
[source,java,role="primary"]
|
||||||
----
|
----
|
||||||
@Bean
|
@Bean
|
||||||
DefaultSecurityFilterChain springSecurity(HttpSecurity http) throws Exception {
|
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||||
CsrfTokenRequestAttributeHandler requestHandler = new CsrfTokenRequestAttributeHandler();
|
CsrfTokenRequestAttributeHandler requestHandler = new CsrfTokenRequestAttributeHandler();
|
||||||
// set the name of the attribute the CsrfToken will be populated on
|
// set the name of the attribute the CsrfToken will be populated on
|
||||||
requestHandler.setCsrfRequestAttributeName(null);
|
requestHandler.setCsrfRequestAttributeName(null);
|
||||||
|
|
@ -86,7 +247,7 @@ DefaultSecurityFilterChain springSecurity(HttpSecurity http) throws Exception {
|
||||||
[source,kotlin,role="secondary"]
|
[source,kotlin,role="secondary"]
|
||||||
----
|
----
|
||||||
@Bean
|
@Bean
|
||||||
open fun springSecurity(http: HttpSecurity): SecurityFilterChain {
|
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
|
||||||
val requestHandler = CsrfTokenRequestAttributeHandler()
|
val requestHandler = CsrfTokenRequestAttributeHandler()
|
||||||
// set the name of the attribute the CsrfToken will be populated on
|
// set the name of the attribute the CsrfToken will be populated on
|
||||||
requestHandler.setCsrfRequestAttributeName(null)
|
requestHandler.setCsrfRequestAttributeName(null)
|
||||||
|
|
@ -115,6 +276,12 @@ open fun springSecurity(http: HttpSecurity): SecurityFilterChain {
|
||||||
----
|
----
|
||||||
====
|
====
|
||||||
|
|
||||||
|
[NOTE]
|
||||||
|
====
|
||||||
|
By setting the `csrfRequestAttributeName` to `null`, the `CsrfToken` must first be loaded to determine what attribute name to use.
|
||||||
|
This causes the `CsrfToken` to be loaded on every request.
|
||||||
|
====
|
||||||
|
|
||||||
== Protect against CSRF BREACH
|
== Protect against CSRF BREACH
|
||||||
|
|
||||||
If the steps for <<Defer Loading CsrfToken>> work for you, then you can also opt into Spring Security 6's default support for BREACH protection of the `CsrfToken` using the following configuration:
|
If the steps for <<Defer Loading CsrfToken>> work for you, then you can also opt into Spring Security 6's default support for BREACH protection of the `CsrfToken` using the following configuration:
|
||||||
|
|
@ -240,6 +407,21 @@ open fun springSecurity(http: HttpSecurity): SecurityFilterChain {
|
||||||
----
|
----
|
||||||
====
|
====
|
||||||
|
|
||||||
|
This is the RECOMMENDED way to configure Spring Security to work with a client-side application that uses cookie values, because it continues to allow the response to return a randomized value for the CSRF token in case the application returns HTML or other responses that could be vulnerable to BREACH without your knowledge.
|
||||||
|
|
||||||
|
[NOTE]
|
||||||
|
====
|
||||||
|
BREACH protection works to protect the token when it is included in a response body that can be GZIP compressed, which generally does not include headers and cookies.
|
||||||
|
====
|
||||||
|
|
||||||
|
[TIP]
|
||||||
|
====
|
||||||
|
Any token value returned by the server can be used successfully by the client-side application because the underlying (raw) CSRF token does not change.
|
||||||
|
It is not required for an AngularJS (or similar) application to refresh the CSRF token before/after every request.
|
||||||
|
====
|
||||||
|
|
||||||
|
If you simply wish to opt out of CSRF BREACH protection altogether, that option is listed next.
|
||||||
|
|
||||||
==== I need to opt out of CSRF BREACH protection for another reason
|
==== I need to opt out of CSRF BREACH protection for another reason
|
||||||
|
|
||||||
If CSRF BREACH protection does not work for you for another reason, you can opt out using the configuration from the <<servlet-opt-in-defer-loading-csrf-token>> section.
|
If CSRF BREACH protection does not work for you for another reason, you can opt out using the configuration from the <<servlet-opt-in-defer-loading-csrf-token>> section.
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue