Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch '6.0.x' 

Closes gh-12684
This commit is contained in:
Steve Riesenberg 2023-02-16 13:27:17 -06:00
parent c1c28375d6 c4f68d83bf
commit 5286b78308
No known key found for this signature in database
GPG Key ID: 5F311AB48A55D521
2 changed files with 16 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
docs/modules/ROOT/pages/reactive/exploits/csrf.adoc
View File

@ -109,14 +109,14 @@ fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain
[[webflux-csrf-configure-request-handler]] [[webflux-csrf-configure-request-handler]]
==== Configure ServerCsrfTokenRequestHandler ==== Configure ServerCsrfTokenRequestHandler
Spring Security's https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/CsrfWebFilter.html[`CsrfWebFilter`] exposes a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfToken.html[`Mono<CsrfToken>`] as a `ServerWebExchange` attribute named `org.springframework.security.web.server.csrf.CsrfToken` with the help of a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/ServerCsrfTokenRequestHandler.html[`ServerCsrfTokenRequestHandler`]. Spring Security's https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/CsrfWebFilter.html[`CsrfWebFilter`] exposes a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/CsrfToken.html[`Mono<CsrfToken>`] as a `ServerWebExchange` attribute named `org.springframework.security.web.server.csrf.CsrfToken` with the help of a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/ServerCsrfTokenRequestHandler.html[`ServerCsrfTokenRequestHandler`].
The default implementation is `ServerCsrfTokenRequestAttributeHandler`. In 5.8, the default implementation was `ServerCsrfTokenRequestAttributeHandler`, which simply makes the `Mono<CsrfToken>` available as an exchange attribute.
An alternate implementation `XorServerCsrfTokenRequestAttributeHandler` is available to provide protection for BREACH (see https://github.com/spring-projects/spring-security/issues/4001[gh-4001]). As of 6.0, the default implementation is `XorServerCsrfTokenRequestAttributeHandler`, which provides protection for BREACH (see https://github.com/spring-projects/spring-security/issues/4001[gh-4001]).
You can configure `XorServerCsrfTokenRequestAttributeHandler` using the following Java configuration: If you wish to disable BREACH protection of the `CsrfToken` and revert to the 5.8 default, you can configure `ServerCsrfTokenRequestAttributeHandler` using the following Java configuration:
.Configure BREACH protection .Disable BREACH protection
==== ====
.Java .Java
[source,java,role="primary"] [source,java,role="primary"]
@ -126,7 +126,7 @@ public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http)
http http
// ... // ...
.csrf(csrf -> csrf .csrf(csrf -> csrf
.csrfTokenRequestHandler(new XorServerCsrfTokenRequestAttributeHandler()) .csrfTokenRequestHandler(new ServerCsrfTokenRequestAttributeHandler())
) )
return http.build(); return http.build();
} }
@ -140,7 +140,7 @@ fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain
return http { return http {
// ... // ...
csrf { csrf {
csrfTokenRequestHandler = XorServerCsrfTokenRequestAttributeHandler() csrfTokenRequestHandler = ServerCsrfTokenRequestAttributeHandler()
} }
} }
} }

18
docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
View File

@ -168,13 +168,13 @@ class SecurityConfig {
==== Configure CsrfTokenRequestHandler ==== Configure CsrfTokenRequestHandler
Spring Security's https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfFilter.html[`CsrfFilter`] exposes a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfToken.html[`CsrfToken`] as an `HttpServletRequest` attribute named `_csrf` with the help of a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfTokenRequestHandler.html[CsrfTokenRequestHandler]. Spring Security's https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfFilter.html[`CsrfFilter`] exposes a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfToken.html[`CsrfToken`] as an `HttpServletRequest` attribute named `_csrf` with the help of a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfTokenRequestHandler.html[CsrfTokenRequestHandler].
The default implementation is `CsrfTokenRequestAttributeHandler`. In 5.8, the default implementation was `CsrfTokenRequestAttributeHandler` which simply makes the `_csrf` attribute available as a request attribute.
An alternate implementation `XorCsrfTokenRequestAttributeHandler` is available to provide protection for BREACH (see https://github.com/spring-projects/spring-security/issues/4001[gh-4001]). As of 6.0, the default implementation is `XorCsrfTokenRequestAttributeHandler`, which provides protection for BREACH (see https://github.com/spring-projects/spring-security/issues/4001[gh-4001]).
You can configure `XorCsrfTokenRequestAttributeHandler` in XML using the following: If you wish to disable BREACH protection of the `CsrfToken` and revert to the 5.8 default, you can configure `CsrfTokenRequestAttributeHandler` in XML using the following:
.Configure BREACH protection XML Configuration .Disable BREACH protection XML Configuration
==== ====
[source,xml] [source,xml]
---- ----
@ -183,13 +183,13 @@ You can configure `XorCsrfTokenRequestAttributeHandler` in XML using the followi
<csrf request-handler-ref="requestHandler"/> <csrf request-handler-ref="requestHandler"/>
</http> </http>
<b:bean id="requestHandler" <b:bean id="requestHandler"
class="org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler"/> class="org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler"/>
---- ----
==== ====
You can configure `XorCsrfTokenRequestAttributeHandler` in Java Configuration using the following: You can configure `CsrfTokenRequestAttributeHandler` in Java Configuration using the following:
.Configure BREACH protection .Disable BREACH protection
==== ====
.Java .Java
[source,java,role="primary"] [source,java,role="primary"]
@ -201,7 +201,7 @@ public class WebSecurityConfig {
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http http
.csrf(csrf -> csrf .csrf(csrf -> csrf
.csrfTokenRequestHandler(new XorCsrfTokenRequestAttributeHandler()) .csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler())
); );
return http.build(); return http.build();
} }
@ -218,7 +218,7 @@ class SecurityConfig {
open fun filterChain(http: HttpSecurity): SecurityFilterChain { open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http { http {
csrf { csrf {
csrfTokenRequestHandler = XorCsrfTokenRequestAttributeHandler() csrfTokenRequestHandler = CsrfTokenRequestAttributeHandler()
} }
} }
return http.build() return http.build()