diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/csrf.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/csrf.adoc index 54f8b6c1ed..ec05a78fc0 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/csrf.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/exploits/csrf.adoc @@ -59,9 +59,10 @@ If you do not need the ability to read the cookie with JavaScript directly, it i You can configure `CookieCsrfTokenRepository` in Java Configuration using: -.Store CSRF Token in a Cookie with Java Configuration +.Store CSRF Token in a Cookie ==== -[source,java] +.Java +[source,java,role="primary"] ---- @EnableWebSecurity public class WebSecurityConfig extends @@ -76,6 +77,22 @@ public class WebSecurityConfig extends } } ---- + +.Kotlin +[source,kotlin,role="secondary"] +---- +@EnableWebSecurity +class SecurityConfig : WebSecurityConfigurerAdapter() { + + override fun configure(http: HttpSecurity) { + http { + csrf { + csrfTokenRepository = CookieCsrfTokenRepository.withHttpOnlyFalse() + } + } + } +} +---- ==== [NOTE] @@ -106,9 +123,10 @@ The XML configuration below will disable CSRF protection. The Java configuration below will disable CSRF protection. -.Disable CSRF Java Configuration +.Disable CSRF ==== -[source,java] +.Java +[source,java,role="primary"] ---- @Configuration @EnableWebSecurity @@ -122,6 +140,23 @@ public class WebSecurityConfig extends } } ---- + +.Kotlin +[source,kotlin,role="secondary"] +---- +@Configuration +@EnableWebSecurity +class SecurityConfig : WebSecurityConfigurerAdapter() { + + override fun configure(http: HttpSecurity) { + http { + csrf { + disable() + } + } + } +} +---- ==== [[servlet-csrf-include]] @@ -291,7 +326,8 @@ For example, the following Java Configuration will perform logout with the URL ` .Log out with HTTP GET ==== -[source,java] +.Java +[source,java,role="primary"] ---- @EnableWebSecurity public class WebSecurityConfig extends @@ -306,6 +342,22 @@ public class WebSecurityConfig extends } } ---- + +.Kotlin +[source,kotlin,role="secondary"] +---- +@EnableWebSecurity +class SecurityConfig : WebSecurityConfigurerAdapter() { + + override fun configure(http: HttpSecurity) { + http { + logout { + logoutRequestMatcher = AntPathRequestMatcher("/logout") + } + } + } +} +---- ==== @@ -354,7 +406,8 @@ To ensure `MultipartFilter` is specified before the Spring Security filter with .Initializer MultipartFilter ==== -[source,java] +.Java +[source,java,role="primary"] ---- public class SecurityApplicationInitializer extends AbstractSecurityWebApplicationInitializer { @@ -364,6 +417,16 @@ public class SecurityApplicationInitializer extends AbstractSecurityWebApplicati } } ---- + +.Kotlin +[source,kotlin,role="secondary"] +---- +class SecurityApplicationInitializer : AbstractSecurityWebApplicationInitializer() { + override fun beforeSpringSecurityFilterChain(servletContext: ServletContext?) { + insertFilters(servletContext, MultipartFilter()) + } +} +---- ==== To ensure `MultipartFilter` is specified before the Spring Security filter with XML configuration, users can ensure the element of the `MultipartFilter` is placed before the springSecurityFilterChain within the web.xml as shown below: