From 179428f7da20fd89f2997bd087900de39fda505c Mon Sep 17 00:00:00 2001 From: Steve Riesenberg Date: Thu, 26 Jan 2023 15:34:50 -0600 Subject: [PATCH] Add section for migrating WebSocket support Issue gh-12378 --- docs/modules/ROOT/nav.adoc | 1 + .../ROOT/pages/migration/servlet/exploits.adoc | 11 +++++++++++ 2 files changed, 12 insertions(+) create mode 100644 docs/modules/ROOT/pages/migration/servlet/exploits.adoc diff --git a/docs/modules/ROOT/nav.adoc b/docs/modules/ROOT/nav.adoc index 0b1059a751..bc274ccb8c 100644 --- a/docs/modules/ROOT/nav.adoc +++ b/docs/modules/ROOT/nav.adoc @@ -5,6 +5,7 @@ * xref:migration/index.adoc[Migrating to 6.0] ** xref:migration/servlet/index.adoc[Servlet Migrations] *** xref:migration/servlet/session-management.adoc[Session Management] +*** xref:migration/servlet/exploits.adoc[Exploit Protection] *** xref:migration/servlet/authentication.adoc[Authentication] *** xref:migration/servlet/authorization.adoc[Authorization] ** xref:migration/reactive.adoc[Reactive Migrations] diff --git a/docs/modules/ROOT/pages/migration/servlet/exploits.adoc b/docs/modules/ROOT/pages/migration/servlet/exploits.adoc new file mode 100644 index 0000000000..35b49b325e --- /dev/null +++ b/docs/modules/ROOT/pages/migration/servlet/exploits.adoc @@ -0,0 +1,11 @@ += Exploit Protection Migrations + +The following steps relate to how to finish migrating exploit protection support. + +== CSRF BREACH with WebSocket support + +In Spring Security 5.8, the default `ChannelInterceptor` for making the `CsrfToken` available with xref:servlet/integrations/websocket.adoc[WebSocket Security] is `CsrfChannelInterceptor`. +`XorCsrfChannelInterceptor` was added to allow opting into CSRF BREACH support. + +In Spring Security 6, `XorCsrfChannelInterceptor` is the default `ChannelInterceptor` for making the `CsrfToken` available. +If you configured the `XorCsrfChannelInterceptor` only for the purpose of updating to 6.0, you can remove it completely.