Document default CsrfTokenRequestHandler in 6.0

Closes gh-12651
This commit is contained in:
Steve Riesenberg 2023-02-16 13:25:36 -06:00
parent 5ccf414f02
commit c4f68d83bf
No known key found for this signature in database
GPG Key ID: 5F311AB48A55D521
2 changed files with 16 additions and 16 deletions

View File

@ -109,14 +109,14 @@ fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain
[[webflux-csrf-configure-request-handler]]
==== Configure ServerCsrfTokenRequestHandler
Spring Security's https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/CsrfWebFilter.html[`CsrfWebFilter`] exposes a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfToken.html[`Mono<CsrfToken>`] as a `ServerWebExchange` attribute named `org.springframework.security.web.server.csrf.CsrfToken` with the help of a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/ServerCsrfTokenRequestHandler.html[`ServerCsrfTokenRequestHandler`].
The default implementation is `ServerCsrfTokenRequestAttributeHandler`.
Spring Security's https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/CsrfWebFilter.html[`CsrfWebFilter`] exposes a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/CsrfToken.html[`Mono<CsrfToken>`] as a `ServerWebExchange` attribute named `org.springframework.security.web.server.csrf.CsrfToken` with the help of a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/ServerCsrfTokenRequestHandler.html[`ServerCsrfTokenRequestHandler`].
In 5.8, the default implementation was `ServerCsrfTokenRequestAttributeHandler`, which simply makes the `Mono<CsrfToken>` available as an exchange attribute.
An alternate implementation `XorServerCsrfTokenRequestAttributeHandler` is available to provide protection for BREACH (see https://github.com/spring-projects/spring-security/issues/4001[gh-4001]).
As of 6.0, the default implementation is `XorServerCsrfTokenRequestAttributeHandler`, which provides protection for BREACH (see https://github.com/spring-projects/spring-security/issues/4001[gh-4001]).
You can configure `XorServerCsrfTokenRequestAttributeHandler` using the following Java configuration:
If you wish to disable BREACH protection of the `CsrfToken` and revert to the 5.8 default, you can configure `ServerCsrfTokenRequestAttributeHandler` using the following Java configuration:
.Configure BREACH protection
.Disable BREACH protection
====
.Java
[source,java,role="primary"]
@ -126,7 +126,7 @@ public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http)
http
// ...
.csrf(csrf -> csrf
.csrfTokenRequestHandler(new XorServerCsrfTokenRequestAttributeHandler())
.csrfTokenRequestHandler(new ServerCsrfTokenRequestAttributeHandler())
)
return http.build();
}
@ -140,7 +140,7 @@ fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain
return http {
// ...
csrf {
csrfTokenRequestHandler = XorServerCsrfTokenRequestAttributeHandler()
csrfTokenRequestHandler = ServerCsrfTokenRequestAttributeHandler()
}
}
}

View File

@ -168,13 +168,13 @@ class SecurityConfig {
==== Configure CsrfTokenRequestHandler
Spring Security's https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfFilter.html[`CsrfFilter`] exposes a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfToken.html[`CsrfToken`] as an `HttpServletRequest` attribute named `_csrf` with the help of a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfTokenRequestHandler.html[CsrfTokenRequestHandler].
The default implementation is `CsrfTokenRequestAttributeHandler`.
In 5.8, the default implementation was `CsrfTokenRequestAttributeHandler` which simply makes the `_csrf` attribute available as a request attribute.
An alternate implementation `XorCsrfTokenRequestAttributeHandler` is available to provide protection for BREACH (see https://github.com/spring-projects/spring-security/issues/4001[gh-4001]).
As of 6.0, the default implementation is `XorCsrfTokenRequestAttributeHandler`, which provides protection for BREACH (see https://github.com/spring-projects/spring-security/issues/4001[gh-4001]).
You can configure `XorCsrfTokenRequestAttributeHandler` in XML using the following:
If you wish to disable BREACH protection of the `CsrfToken` and revert to the 5.8 default, you can configure `CsrfTokenRequestAttributeHandler` in XML using the following:
.Configure BREACH protection XML Configuration
.Disable BREACH protection XML Configuration
====
[source,xml]
----
@ -183,13 +183,13 @@ You can configure `XorCsrfTokenRequestAttributeHandler` in XML using the followi
<csrf request-handler-ref="requestHandler"/>
</http>
<b:bean id="requestHandler"
class="org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler"/>
class="org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler"/>
----
====
You can configure `XorCsrfTokenRequestAttributeHandler` in Java Configuration using the following:
You can configure `CsrfTokenRequestAttributeHandler` in Java Configuration using the following:
.Configure BREACH protection
.Disable BREACH protection
====
.Java
[source,java,role="primary"]
@ -201,7 +201,7 @@ public class WebSecurityConfig {
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.csrf(csrf -> csrf
.csrfTokenRequestHandler(new XorCsrfTokenRequestAttributeHandler())
.csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler())
);
return http.build();
}
@ -218,7 +218,7 @@ class SecurityConfig {
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
csrf {
csrfTokenRequestHandler = XorCsrfTokenRequestAttributeHandler()
csrfTokenRequestHandler = CsrfTokenRequestAttributeHandler()
}
}
return http.build()