Merge branch '6.0.x'

Closes gh-12684

docs/modules/ROOT/pages/reactive/exploits/csrf.adoc

@@ -109,14 +109,14 @@ fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain
 [[webflux-csrf-configure-request-handler]]
 ==== Configure ServerCsrfTokenRequestHandler
 
-Spring Security's https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/CsrfWebFilter.html[`CsrfWebFilter`] exposes a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfToken.html[`Mono<CsrfToken>`] as a `ServerWebExchange` attribute named `org.springframework.security.web.server.csrf.CsrfToken` with the help of a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/ServerCsrfTokenRequestHandler.html[`ServerCsrfTokenRequestHandler`].
-The default implementation is `ServerCsrfTokenRequestAttributeHandler`.
+Spring Security's https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/CsrfWebFilter.html[`CsrfWebFilter`] exposes a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/CsrfToken.html[`Mono<CsrfToken>`] as a `ServerWebExchange` attribute named `org.springframework.security.web.server.csrf.CsrfToken` with the help of a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/ServerCsrfTokenRequestHandler.html[`ServerCsrfTokenRequestHandler`].
+In 5.8, the default implementation was `ServerCsrfTokenRequestAttributeHandler`, which simply makes the `Mono<CsrfToken>` available as an exchange attribute.
 
-An alternate implementation `XorServerCsrfTokenRequestAttributeHandler` is available to provide protection for BREACH (see https://github.com/spring-projects/spring-security/issues/4001[gh-4001]).
+As of 6.0, the default implementation is `XorServerCsrfTokenRequestAttributeHandler`, which provides protection for BREACH (see https://github.com/spring-projects/spring-security/issues/4001[gh-4001]).
 
-You can configure `XorServerCsrfTokenRequestAttributeHandler` using the following Java configuration:
+If you wish to disable BREACH protection of the `CsrfToken` and revert to the 5.8 default, you can configure `ServerCsrfTokenRequestAttributeHandler` using the following Java configuration:
 
-.Configure BREACH protection
+.Disable BREACH protection
 ====
 .Java
 [source,java,role="primary"]
@@ -126,7 +126,7 @@ public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http)
 	http
 		// ...
 		.csrf(csrf -> csrf
-			.csrfTokenRequestHandler(new XorServerCsrfTokenRequestAttributeHandler())
+			.csrfTokenRequestHandler(new ServerCsrfTokenRequestAttributeHandler())
 		)
 	return http.build();
 }
@@ -140,7 +140,7 @@ fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain
     return http {
         // ...
         csrf {
-            csrfTokenRequestHandler = XorServerCsrfTokenRequestAttributeHandler()
+            csrfTokenRequestHandler = ServerCsrfTokenRequestAttributeHandler()
         }
     }
 }

docs/modules/ROOT/pages/servlet/exploits/csrf.adoc

@@ -168,13 +168,13 @@ class SecurityConfig {
 ==== Configure CsrfTokenRequestHandler
 
 Spring Security's https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfFilter.html[`CsrfFilter`] exposes a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfToken.html[`CsrfToken`] as an `HttpServletRequest` attribute named `_csrf` with the help of a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfTokenRequestHandler.html[CsrfTokenRequestHandler].
-The default implementation is `CsrfTokenRequestAttributeHandler`.
+In 5.8, the default implementation was `CsrfTokenRequestAttributeHandler` which simply makes the `_csrf` attribute available as a request attribute.
 
-An alternate implementation `XorCsrfTokenRequestAttributeHandler` is available to provide protection for BREACH (see https://github.com/spring-projects/spring-security/issues/4001[gh-4001]).
+As of 6.0, the default implementation is `XorCsrfTokenRequestAttributeHandler`, which provides protection for BREACH (see https://github.com/spring-projects/spring-security/issues/4001[gh-4001]).
 
-You can configure `XorCsrfTokenRequestAttributeHandler` in XML using the following:
+If you wish to disable BREACH protection of the `CsrfToken` and revert to the 5.8 default, you can configure `CsrfTokenRequestAttributeHandler` in XML using the following:
 
-.Configure BREACH protection XML Configuration
+.Disable BREACH protection XML Configuration
 ====
 [source,xml]
 ----
@@ -183,13 +183,13 @@ You can configure `XorCsrfTokenRequestAttributeHandler` in XML using the followi
 	<csrf request-handler-ref="requestHandler"/>
 </http>
 <b:bean id="requestHandler"
-	class="org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler"/>
+	class="org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler"/>
 ----
 ====
 
-You can configure `XorCsrfTokenRequestAttributeHandler` in Java Configuration using the following:
+You can configure `CsrfTokenRequestAttributeHandler` in Java Configuration using the following:
 
-.Configure BREACH protection
+.Disable BREACH protection
 ====
 .Java
 [source,java,role="primary"]
@@ -201,7 +201,7 @@ public class WebSecurityConfig {
 	public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 		http
 			.csrf(csrf -> csrf
-				.csrfTokenRequestHandler(new XorCsrfTokenRequestAttributeHandler())
+				.csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler())
 			);
 		return http.build();
 	}
@@ -218,7 +218,7 @@ class SecurityConfig {
     open fun filterChain(http: HttpSecurity): SecurityFilterChain {
        http {
             csrf {
-                csrfTokenRequestHandler = XorCsrfTokenRequestAttributeHandler()
+                csrfTokenRequestHandler = CsrfTokenRequestAttributeHandler()
             }
         }
         return http.build()