diff --git a/docs/modules/ROOT/pages/reactive/exploits/csrf.adoc b/docs/modules/ROOT/pages/reactive/exploits/csrf.adoc index aadf311cbe..c7aab897bc 100644 --- a/docs/modules/ROOT/pages/reactive/exploits/csrf.adoc +++ b/docs/modules/ROOT/pages/reactive/exploits/csrf.adoc @@ -109,14 +109,14 @@ fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain [[webflux-csrf-configure-request-handler]] ==== Configure ServerCsrfTokenRequestHandler -Spring Security's https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/CsrfWebFilter.html[`CsrfWebFilter`] exposes a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfToken.html[`Mono`] as a `ServerWebExchange` attribute named `org.springframework.security.web.server.csrf.CsrfToken` with the help of a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/ServerCsrfTokenRequestHandler.html[`ServerCsrfTokenRequestHandler`]. -The default implementation is `ServerCsrfTokenRequestAttributeHandler`. +Spring Security's https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/CsrfWebFilter.html[`CsrfWebFilter`] exposes a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/CsrfToken.html[`Mono`] as a `ServerWebExchange` attribute named `org.springframework.security.web.server.csrf.CsrfToken` with the help of a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/ServerCsrfTokenRequestHandler.html[`ServerCsrfTokenRequestHandler`]. +In 5.8, the default implementation was `ServerCsrfTokenRequestAttributeHandler`, which simply makes the `Mono` available as an exchange attribute. -An alternate implementation `XorServerCsrfTokenRequestAttributeHandler` is available to provide protection for BREACH (see https://github.com/spring-projects/spring-security/issues/4001[gh-4001]). +As of 6.0, the default implementation is `XorServerCsrfTokenRequestAttributeHandler`, which provides protection for BREACH (see https://github.com/spring-projects/spring-security/issues/4001[gh-4001]). -You can configure `XorServerCsrfTokenRequestAttributeHandler` using the following Java configuration: +If you wish to disable BREACH protection of the `CsrfToken` and revert to the 5.8 default, you can configure `ServerCsrfTokenRequestAttributeHandler` using the following Java configuration: -.Configure BREACH protection +.Disable BREACH protection ==== .Java [source,java,role="primary"] @@ -126,7 +126,7 @@ public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) http // ... .csrf(csrf -> csrf - .csrfTokenRequestHandler(new XorServerCsrfTokenRequestAttributeHandler()) + .csrfTokenRequestHandler(new ServerCsrfTokenRequestAttributeHandler()) ) return http.build(); } @@ -140,7 +140,7 @@ fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain return http { // ... csrf { - csrfTokenRequestHandler = XorServerCsrfTokenRequestAttributeHandler() + csrfTokenRequestHandler = ServerCsrfTokenRequestAttributeHandler() } } } diff --git a/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc b/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc index bcd07b6065..c6bfd2feac 100644 --- a/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc +++ b/docs/modules/ROOT/pages/servlet/exploits/csrf.adoc @@ -168,13 +168,13 @@ class SecurityConfig { ==== Configure CsrfTokenRequestHandler Spring Security's https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfFilter.html[`CsrfFilter`] exposes a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfToken.html[`CsrfToken`] as an `HttpServletRequest` attribute named `_csrf` with the help of a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfTokenRequestHandler.html[CsrfTokenRequestHandler]. -The default implementation is `CsrfTokenRequestAttributeHandler`. +In 5.8, the default implementation was `CsrfTokenRequestAttributeHandler` which simply makes the `_csrf` attribute available as a request attribute. -An alternate implementation `XorCsrfTokenRequestAttributeHandler` is available to provide protection for BREACH (see https://github.com/spring-projects/spring-security/issues/4001[gh-4001]). +As of 6.0, the default implementation is `XorCsrfTokenRequestAttributeHandler`, which provides protection for BREACH (see https://github.com/spring-projects/spring-security/issues/4001[gh-4001]). -You can configure `XorCsrfTokenRequestAttributeHandler` in XML using the following: +If you wish to disable BREACH protection of the `CsrfToken` and revert to the 5.8 default, you can configure `CsrfTokenRequestAttributeHandler` in XML using the following: -.Configure BREACH protection XML Configuration +.Disable BREACH protection XML Configuration ==== [source,xml] ---- @@ -183,13 +183,13 @@ You can configure `XorCsrfTokenRequestAttributeHandler` in XML using the followi + class="org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler"/> ---- ==== -You can configure `XorCsrfTokenRequestAttributeHandler` in Java Configuration using the following: +You can configure `CsrfTokenRequestAttributeHandler` in Java Configuration using the following: -.Configure BREACH protection +.Disable BREACH protection ==== .Java [source,java,role="primary"] @@ -201,7 +201,7 @@ public class WebSecurityConfig { public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { http .csrf(csrf -> csrf - .csrfTokenRequestHandler(new XorCsrfTokenRequestAttributeHandler()) + .csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler()) ); return http.build(); } @@ -218,7 +218,7 @@ class SecurityConfig { open fun filterChain(http: HttpSecurity): SecurityFilterChain { http { csrf { - csrfTokenRequestHandler = XorCsrfTokenRequestAttributeHandler() + csrfTokenRequestHandler = CsrfTokenRequestAttributeHandler() } } return http.build()