Document default CsrfTokenRequestHandler in 6.0
Closes gh-12651
This commit is contained in:
parent
5ccf414f02
commit
c4f68d83bf
|
@ -109,14 +109,14 @@ fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain
|
|||
[[webflux-csrf-configure-request-handler]]
|
||||
==== Configure ServerCsrfTokenRequestHandler
|
||||
|
||||
Spring Security's https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/CsrfWebFilter.html[`CsrfWebFilter`] exposes a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfToken.html[`Mono<CsrfToken>`] as a `ServerWebExchange` attribute named `org.springframework.security.web.server.csrf.CsrfToken` with the help of a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/ServerCsrfTokenRequestHandler.html[`ServerCsrfTokenRequestHandler`].
|
||||
The default implementation is `ServerCsrfTokenRequestAttributeHandler`.
|
||||
Spring Security's https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/CsrfWebFilter.html[`CsrfWebFilter`] exposes a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/CsrfToken.html[`Mono<CsrfToken>`] as a `ServerWebExchange` attribute named `org.springframework.security.web.server.csrf.CsrfToken` with the help of a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/ServerCsrfTokenRequestHandler.html[`ServerCsrfTokenRequestHandler`].
|
||||
In 5.8, the default implementation was `ServerCsrfTokenRequestAttributeHandler`, which simply makes the `Mono<CsrfToken>` available as an exchange attribute.
|
||||
|
||||
An alternate implementation `XorServerCsrfTokenRequestAttributeHandler` is available to provide protection for BREACH (see https://github.com/spring-projects/spring-security/issues/4001[gh-4001]).
|
||||
As of 6.0, the default implementation is `XorServerCsrfTokenRequestAttributeHandler`, which provides protection for BREACH (see https://github.com/spring-projects/spring-security/issues/4001[gh-4001]).
|
||||
|
||||
You can configure `XorServerCsrfTokenRequestAttributeHandler` using the following Java configuration:
|
||||
If you wish to disable BREACH protection of the `CsrfToken` and revert to the 5.8 default, you can configure `ServerCsrfTokenRequestAttributeHandler` using the following Java configuration:
|
||||
|
||||
.Configure BREACH protection
|
||||
.Disable BREACH protection
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
|
@ -126,7 +126,7 @@ public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http)
|
|||
http
|
||||
// ...
|
||||
.csrf(csrf -> csrf
|
||||
.csrfTokenRequestHandler(new XorServerCsrfTokenRequestAttributeHandler())
|
||||
.csrfTokenRequestHandler(new ServerCsrfTokenRequestAttributeHandler())
|
||||
)
|
||||
return http.build();
|
||||
}
|
||||
|
@ -140,7 +140,7 @@ fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain
|
|||
return http {
|
||||
// ...
|
||||
csrf {
|
||||
csrfTokenRequestHandler = XorServerCsrfTokenRequestAttributeHandler()
|
||||
csrfTokenRequestHandler = ServerCsrfTokenRequestAttributeHandler()
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -168,13 +168,13 @@ class SecurityConfig {
|
|||
==== Configure CsrfTokenRequestHandler
|
||||
|
||||
Spring Security's https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfFilter.html[`CsrfFilter`] exposes a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfToken.html[`CsrfToken`] as an `HttpServletRequest` attribute named `_csrf` with the help of a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfTokenRequestHandler.html[CsrfTokenRequestHandler].
|
||||
The default implementation is `CsrfTokenRequestAttributeHandler`.
|
||||
In 5.8, the default implementation was `CsrfTokenRequestAttributeHandler` which simply makes the `_csrf` attribute available as a request attribute.
|
||||
|
||||
An alternate implementation `XorCsrfTokenRequestAttributeHandler` is available to provide protection for BREACH (see https://github.com/spring-projects/spring-security/issues/4001[gh-4001]).
|
||||
As of 6.0, the default implementation is `XorCsrfTokenRequestAttributeHandler`, which provides protection for BREACH (see https://github.com/spring-projects/spring-security/issues/4001[gh-4001]).
|
||||
|
||||
You can configure `XorCsrfTokenRequestAttributeHandler` in XML using the following:
|
||||
If you wish to disable BREACH protection of the `CsrfToken` and revert to the 5.8 default, you can configure `CsrfTokenRequestAttributeHandler` in XML using the following:
|
||||
|
||||
.Configure BREACH protection XML Configuration
|
||||
.Disable BREACH protection XML Configuration
|
||||
====
|
||||
[source,xml]
|
||||
----
|
||||
|
@ -183,13 +183,13 @@ You can configure `XorCsrfTokenRequestAttributeHandler` in XML using the followi
|
|||
<csrf request-handler-ref="requestHandler"/>
|
||||
</http>
|
||||
<b:bean id="requestHandler"
|
||||
class="org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler"/>
|
||||
class="org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler"/>
|
||||
----
|
||||
====
|
||||
|
||||
You can configure `XorCsrfTokenRequestAttributeHandler` in Java Configuration using the following:
|
||||
You can configure `CsrfTokenRequestAttributeHandler` in Java Configuration using the following:
|
||||
|
||||
.Configure BREACH protection
|
||||
.Disable BREACH protection
|
||||
====
|
||||
.Java
|
||||
[source,java,role="primary"]
|
||||
|
@ -201,7 +201,7 @@ public class WebSecurityConfig {
|
|||
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.csrf(csrf -> csrf
|
||||
.csrfTokenRequestHandler(new XorCsrfTokenRequestAttributeHandler())
|
||||
.csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler())
|
||||
);
|
||||
return http.build();
|
||||
}
|
||||
|
@ -218,7 +218,7 @@ class SecurityConfig {
|
|||
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
|
||||
http {
|
||||
csrf {
|
||||
csrfTokenRequestHandler = XorCsrfTokenRequestAttributeHandler()
|
||||
csrfTokenRequestHandler = CsrfTokenRequestAttributeHandler()
|
||||
}
|
||||
}
|
||||
return http.build()
|
||||
|
|
Loading…
Reference in New Issue