From a61fffc20957bb10eb092ff42d1c4294ace6c916 Mon Sep 17 00:00:00 2001 From: Steve Riesenberg Date: Wed, 16 Nov 2022 16:42:15 -0600 Subject: [PATCH] Document reactive support for CSRF BREACH Issue gh-11959 --- .../ROOT/pages/migration/reactive.adoc | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/docs/modules/ROOT/pages/migration/reactive.adoc b/docs/modules/ROOT/pages/migration/reactive.adoc index 8c9696733c..5c189cfb70 100644 --- a/docs/modules/ROOT/pages/migration/reactive.adoc +++ b/docs/modules/ROOT/pages/migration/reactive.adoc @@ -80,6 +80,45 @@ open fun securityWebFilterChain(http: HttpSecurity): SecurityWebFilterChain { ---- ==== +=== Protect against CSRF BREACH + +You can opt into Spring Security 6's default support for BREACH protection of the `CsrfToken` using the following configuration: + +.`CsrfToken` BREACH Protection +==== +.Java +[source,java,role="primary"] +---- +@Bean +SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) { + XorServerCsrfTokenRequestAttributeHandler requestHandler = new XorServerCsrfTokenRequestAttributeHandler(); + // ... + http + // ... + .csrf((csrf) -> csrf + .csrfTokenRequestHandler(requestHandler) + ); + return http.build(); +} +---- + +.Kotlin +[source,kotlin,role="secondary"] +---- +@Bean +open fun securityWebFilterChain(http: HttpSecurity): SecurityWebFilterChain { + val requestHandler = XorServerCsrfTokenRequestAttributeHandler() + // ... + return http { + // ... + csrf { + csrfTokenRequestHandler = requestHandler + } + } +} +---- +==== + == Use `AuthorizationManager` for Method Security xref:reactive/authorization/method.adoc[Method Security] has been xref:reactive/authorization/method.adoc#jc-enable-reactive-method-security-authorization-manager[improved] through {security-api-url}org/springframework/security/authorization/AuthorizationManager.html[the `AuthorizationManager` API] and direct use of Spring AOP.