Add reactive CSRF samples to docs

Issue gh-8172
2020-05-28 13:16:35 -04:00 · 2020-05-28 13:16:35 -04:00 · a63a0e3765
parent da05543ef6
commit a63a0e3765
1 changed files with 81 additions and 7 deletions
--- a/docs/manual/src/docs/asciidoc/_includes/reactive/exploits/csrf.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/reactive/exploits/csrf.adoc
@ -34,9 +34,10 @@ These defaults come from https://docs.angularjs.org/api/ng/service/$http#cross-s

 You can configure `CookieCsrfTokenRepository` in Java Configuration using:

-.Store CSRF Token in a Cookie with Java Configuration
+.Store CSRF Token in a Cookie
 ====
-[source,java]
+.Java
+[source,java,role="primary"]
 -----
@Bean
 public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -46,6 +47,20 @@ public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http)
 	return http.build();
 }
 -----
+
+.Kotlin
+[source,kotlin,role="secondary"]
+-----
+@Bean
+fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
+    return http {
+        // ...
+        csrf {
+            csrfTokenRepository = CookieServerCsrfTokenRepository.withHttpOnlyFalse()
+        }
+    }
+}
+-----
 ====

 [NOTE]
@ -62,9 +77,10 @@ However, it is simple to disable CSRF protection if it <<csrf-when,makes sense f

 The Java configuration below will disable CSRF protection.

-.Disable CSRF Java Configuration
+.Disable CSRF Configuration
 ====
-[source,java]
+.Java
+[source,java,role="primary"]
 ----
@Bean
 public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -74,6 +90,20 @@ public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http)
 	return http.build();
 }
 ----
+
+.Kotlin
+[source,kotlin,role="secondary"]
+-----
+@Bean
+fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
+    return http {
+        // ...
+        csrf {
+            disable()
+        }
+    }
+}
+-----
 ====

 [[webflux-csrf-include]]
@ -91,7 +121,8 @@ For example, the following code will place the `CsrfToken` on the default attrib

 .`CsrfToken` as `@ModelAttribute`
 ====
-[source,java]
+.Java
+[source,java,role="primary"]
 ----
@ControllerAdvice
 public class SecurityControllerAdvice {
@ -103,6 +134,21 @@ public class SecurityControllerAdvice {
 	}
 }
 ----
+
+.Kotlin
+[source,kotlin,role="secondary"]
+----
+@ControllerAdvice
+class SecurityControllerAdvice {
+    @ModelAttribute
+    fun csrfToken(exchange: ServerWebExchange): Mono<CsrfToken> {
+        val csrfToken: Mono<CsrfToken>? = exchange.getAttribute(CsrfToken::class.java.name)
+        return csrfToken!!.doOnSuccess { token ->
+            exchange.attributes[CsrfRequestDataValueProcessor.DEFAULT_CSRF_ATTR_NAME] = token
+        }
+    }
+}
+----
 ====

 Fortunately, Thymeleaf provides <<webflux-csrf-include-form-auto,integration>> that works without any additional work.
@ -253,7 +299,8 @@ For example, the following Java Configuration will perform logout with the URL `

 .Log out with HTTP GET
 ====
-[source,java]
+.Java
+[source,java,role="primary"]
 ----
@Bean
 public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -262,7 +309,20 @@ public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http)
 		.logout(logout -> logout.requiresLogout(new PathPatternParserServerWebExchangeMatcher("/logout")))
 	return http.build();
 }
+----

+.Kotlin
+[source,kotlin,role="secondary"]
+----
+@Bean
+fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
+    return http {
+        // ...
+        logout {
+            requiresLogout = PathPatternParserServerWebExchangeMatcher("/logout")
+        }
+    }
+}
 ----
 ====

@ -301,7 +361,8 @@ In a WebFlux application, this can be configured with the following configuratio

 .Enable obtaining CSRF token from multipart/form-data
 ====
-[source,java]
+.Java
+[source,java,role="primary"]
 ----
@Bean
 public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -310,7 +371,20 @@ public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http)
 		.csrf(csrf -> csrf.tokenFromMultipartDataEnabled(true))
 	return http.build();
 }
+----

+.Kotlin
+[source,kotlin,role="secondary"]
+----
+@Bean
+fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
+    return http {
+		// ...
+        csrf {
+            tokenFromMultipartDataEnabled = true
+        }
+    }
+}
 ----
 ====