Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Document reactive support for CSRF BREACH 

Issue gh-11959
This commit is contained in:
Steve Riesenberg 2022-11-16 16:42:15 -06:00
parent 3cb2b0606e
commit a61fffc209
No known key found for this signature in database
GPG Key ID: 5F311AB48A55D521
1 changed files with 39 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
docs/modules/ROOT/pages/migration/reactive.adoc
View File

@ -80,6 +80,45 @@ open fun securityWebFilterChain(http: HttpSecurity): SecurityWebFilterChain {
----
====
=== Protect against CSRF BREACH
You can opt into Spring Security 6's default support for BREACH protection of the `CsrfToken` using the following configuration:
.`CsrfToken` BREACH Protection
====
.Java
[source,java,role="primary"]
----
@Bean
SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
XorServerCsrfTokenRequestAttributeHandler requestHandler = new XorServerCsrfTokenRequestAttributeHandler();
// ...
http
// ...
.csrf((csrf) -> csrf
.csrfTokenRequestHandler(requestHandler)
);
return http.build();
}
----
.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
open fun securityWebFilterChain(http: HttpSecurity): SecurityWebFilterChain {
val requestHandler = XorServerCsrfTokenRequestAttributeHandler()
// ...
return http {
// ...
csrf {
csrfTokenRequestHandler = requestHandler
}
}
}
----
====
== Use `AuthorizationManager` for Method Security
xref:reactive/authorization/method.adoc[Method Security] has been xref:reactive/authorization/method.adoc#jc-enable-reactive-method-security-authorization-manager[improved] through {security-api-url}org/springframework/security/authorization/AuthorizationManager.html[the `AuthorizationManager` API] and direct use of Spring AOP.