Remove CsrfSpec.tokenFromMultipartDataEnabled

Also removed ServerCsrfDsl.tokenFromMultipartDataEnabled Closes gh-12020
2022-10-13 10:55:04 -05:00 · 2022-10-13 10:55:04 -05:00 · 819529f5ea
parent db7732dd4a
commit 819529f5ea
3 changed files with 3 additions and 24 deletions
--- a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
@ -149,7 +149,6 @@ import org.springframework.security.web.server.context.WebSessionServerSecurityC
 import org.springframework.security.web.server.csrf.CsrfServerLogoutHandler;
 import org.springframework.security.web.server.csrf.CsrfWebFilter;
 import org.springframework.security.web.server.csrf.ServerCsrfTokenRepository;
-import org.springframework.security.web.server.csrf.ServerCsrfTokenRequestAttributeHandler;
 import org.springframework.security.web.server.csrf.ServerCsrfTokenRequestHandler;
 import org.springframework.security.web.server.csrf.WebSessionServerCsrfTokenRepository;
 import org.springframework.security.web.server.header.CacheControlServerHttpHeadersWriter;
@ -1865,22 +1864,6 @@ public class ServerHttpSecurity {
 			return this;
 		}

-		/**
-		 * Specifies if {@link CsrfWebFilter} should try to resolve the actual CSRF token
-		 * from the body of multipart data requests.
-		 * @param enabled true if should read from multipart form body, else false.
-		 * Default is false
-		 * @return the {@link CsrfSpec} for additional configuration
-		 * @deprecated Use
-		 * {@link ServerCsrfTokenRequestAttributeHandler#setTokenFromMultipartDataEnabled(boolean)}
-		 * instead
-		 */
-		@Deprecated
-		public CsrfSpec tokenFromMultipartDataEnabled(boolean enabled) {
-			this.filter.setTokenFromMultipartDataEnabled(enabled);
-			return this;
-		}
-
 		/**
 		 * Specifies a {@link ServerCsrfTokenRequestHandler} that is used to make the
 		 * {@code CsrfToken} available as an exchange attribute.
--- a/config/src/main/kotlin/org/springframework/security/config/web/server/ServerCsrfDsl.kt
+++ b/config/src/main/kotlin/org/springframework/security/config/web/server/ServerCsrfDsl.kt
@ -17,7 +17,6 @@
 package org.springframework.security.config.web.server

 import org.springframework.security.web.server.authorization.ServerAccessDeniedHandler
-import org.springframework.security.web.server.csrf.CsrfWebFilter
 import org.springframework.security.web.server.csrf.ServerCsrfTokenRepository
 import org.springframework.security.web.server.csrf.ServerCsrfTokenRequestHandler
 import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher
@ -32,8 +31,6 @@ import org.springframework.security.web.server.util.matcher.ServerWebExchangeMat
 * @property csrfTokenRepository the [ServerCsrfTokenRepository] used to persist the CSRF token.
 * @property requireCsrfProtectionMatcher the [ServerWebExchangeMatcher] used to determine when CSRF protection
 * is enabled.
- * @property tokenFromMultipartDataEnabled if true, the [CsrfWebFilter] should try to resolve the actual CSRF
- * token from the body of multipart data requests.
 * @property csrfTokenRequestHandler the  [ServerCsrfTokenRequestHandler] that is used to make the CSRF token
 * available as an exchange attribute
 */
@ -42,8 +39,6 @@ class ServerCsrfDsl {
    var accessDeniedHandler: ServerAccessDeniedHandler? = null
    var csrfTokenRepository: ServerCsrfTokenRepository? = null
    var requireCsrfProtectionMatcher: ServerWebExchangeMatcher? = null
-    @Deprecated("Use 'csrfTokenRequestHandler' instead")
-    var tokenFromMultipartDataEnabled: Boolean? = null
    var csrfTokenRequestHandler: ServerCsrfTokenRequestHandler? = null

    private var disabled = false
@ -60,7 +55,6 @@ class ServerCsrfDsl {
            accessDeniedHandler?.also { csrf.accessDeniedHandler(accessDeniedHandler) }
            csrfTokenRepository?.also { csrf.csrfTokenRepository(csrfTokenRepository) }
            requireCsrfProtectionMatcher?.also { csrf.requireCsrfProtectionMatcher(requireCsrfProtectionMatcher) }
-            tokenFromMultipartDataEnabled?.also { csrf.tokenFromMultipartDataEnabled(tokenFromMultipartDataEnabled!!) }
            csrfTokenRequestHandler?.also { csrf.csrfTokenRequestHandler(csrfTokenRequestHandler) }
            if (disabled) {
                csrf.disable()
--- a/config/src/test/kotlin/org/springframework/security/config/web/server/ServerCsrfDslTests.kt
+++ b/config/src/test/kotlin/org/springframework/security/config/web/server/ServerCsrfDslTests.kt
@ -311,7 +311,9 @@ class ServerCsrfDslTests {
            return http {
                csrf {
                    csrfTokenRepository = TOKEN_REPOSITORY
-                    tokenFromMultipartDataEnabled = true
+                    csrfTokenRequestHandler = XorServerCsrfTokenRequestAttributeHandler().apply {
+                        setTokenFromMultipartDataEnabled(true)
+                    }
                }
            }
        }