Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-01 09:42:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add reactive CSRF samples to docs

Browse Source 
Issue gh-8172
This commit is contained in:
Eleftheria Stein 2020-05-28 13:16:35 -04:00
parent da05543ef6
commit a63a0e3765
1 changed files with 81 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

88
docs/manual/src/docs/asciidoc/_includes/reactive/exploits/csrf.adoc
View File

@ -34,9 +34,10 @@ These defaults come from https://docs.angularjs.org/api/ng/service/$http#cross-s
You can configure `CookieCsrfTokenRepository` in Java Configuration using: You can configure `CookieCsrfTokenRepository` in Java Configuration using:
.Store CSRF Token in a Cookie with Java Configuration .Store CSRF Token in a Cookie
==== ====
[source,java] .Java
[source,java,role="primary"]
----- -----
@Bean @Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -46,6 +47,20 @@ public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http)
return http.build(); return http.build();
} }
----- -----
.Kotlin
[source,kotlin,role="secondary"]
-----
@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
csrf {
csrfTokenRepository = CookieServerCsrfTokenRepository.withHttpOnlyFalse()
}
}
}
-----
==== ====
[NOTE] [NOTE]
@ -62,9 +77,10 @@ However, it is simple to disable CSRF protection if it <<csrf-when,makes sense f
The Java configuration below will disable CSRF protection. The Java configuration below will disable CSRF protection.
.Disable CSRF Java Configuration .Disable CSRF Configuration
==== ====
[source,java] .Java
[source,java,role="primary"]
---- ----
@Bean @Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -74,6 +90,20 @@ public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http)
return http.build(); return http.build();
} }
---- ----
.Kotlin
[source,kotlin,role="secondary"]
-----
@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
csrf {
disable()
}
}
}
-----
==== ====
[[webflux-csrf-include]] [[webflux-csrf-include]]
@ -91,7 +121,8 @@ For example, the following code will place the `CsrfToken` on the default attrib
.`CsrfToken` as `@ModelAttribute` .`CsrfToken` as `@ModelAttribute`
==== ====
[source,java] .Java
[source,java,role="primary"]
---- ----
@ControllerAdvice @ControllerAdvice
public class SecurityControllerAdvice { public class SecurityControllerAdvice {
@ -103,6 +134,21 @@ public class SecurityControllerAdvice {
} }
} }
---- ----
.Kotlin
[source,kotlin,role="secondary"]
----
@ControllerAdvice
class SecurityControllerAdvice {
@ModelAttribute
fun csrfToken(exchange: ServerWebExchange): Mono<CsrfToken> {
val csrfToken: Mono<CsrfToken>? = exchange.getAttribute(CsrfToken::class.java.name)
return csrfToken!!.doOnSuccess { token ->
exchange.attributes[CsrfRequestDataValueProcessor.DEFAULT_CSRF_ATTR_NAME] = token
}
}
}
----
==== ====
Fortunately, Thymeleaf provides <<webflux-csrf-include-form-auto,integration>> that works without any additional work. Fortunately, Thymeleaf provides <<webflux-csrf-include-form-auto,integration>> that works without any additional work.
@ -253,7 +299,8 @@ For example, the following Java Configuration will perform logout with the URL `
.Log out with HTTP GET .Log out with HTTP GET
==== ====
[source,java] .Java
[source,java,role="primary"]
---- ----
@Bean @Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -262,7 +309,20 @@ public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http)
.logout(logout -> logout.requiresLogout(new PathPatternParserServerWebExchangeMatcher("/logout"))) .logout(logout -> logout.requiresLogout(new PathPatternParserServerWebExchangeMatcher("/logout")))
return http.build(); return http.build();
} }
----
.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
logout {
requiresLogout = PathPatternParserServerWebExchangeMatcher("/logout")
}
}
}
---- ----
==== ====
@ -301,7 +361,8 @@ In a WebFlux application, this can be configured with the following configuratio
.Enable obtaining CSRF token from multipart/form-data .Enable obtaining CSRF token from multipart/form-data
==== ====
[source,java] .Java
[source,java,role="primary"]
---- ----
@Bean @Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@ -310,7 +371,20 @@ public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http)
.csrf(csrf -> csrf.tokenFromMultipartDataEnabled(true)) .csrf(csrf -> csrf.tokenFromMultipartDataEnabled(true))
return http.build(); return http.build();
} }
----
.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
return http {
// ...
csrf {
tokenFromMultipartDataEnabled = true
}
}
}
---- ----
==== ====