Add `spa()` configuration method

Signed-off-by: Tran Ngoc Nhan <ngocnhan.tran1996@gmail.com>
3 months ago · 3926a39ea8
2 changed files with 51 additions and 0 deletions
--- a/config/src/main/kotlin/org/springframework/security/config/annotation/web/CsrfDsl.kt
+++ b/config/src/main/kotlin/org/springframework/security/config/annotation/web/CsrfDsl.kt
@ -47,6 +47,7 @@ class CsrfDsl {
				@@ -47,6 +47,7 @@ class CsrfDsl {
    private var ignoringRequestMatchers: Array<out RequestMatcher>? = null
    private var ignoringRequestMatchersPatterns: Array<out String>? = null
    private var disabled = false
+    private var spaMode = false

    /**
     * Allows specifying [HttpServletRequest]s that should not use CSRF Protection
@ -76,6 +77,17 @@ class CsrfDsl {
				@@ -76,6 +77,17 @@ class CsrfDsl {
        disabled = true
    }

+    /**
+     * Sensible CSRF defaults when used in combination with a single page application.
+     * Creates a cookie-based token repository and a custom request handler to resolve the
+     * actual token value instead of the encoded token.
+     *
+     * @since 7.1
+     */
+    fun spa() {
+        spaMode = true
+    }
+
    internal fun get(): (CsrfConfigurer<HttpSecurity>) -> Unit {
        return { csrf ->
            csrfTokenRepository?.also { csrf.csrfTokenRepository(csrfTokenRepository) }
@ -84,6 +96,9 @@ class CsrfDsl {
				@@ -84,6 +96,9 @@ class CsrfDsl {
            csrfTokenRequestHandler?.also { csrf.csrfTokenRequestHandler(csrfTokenRequestHandler) }
            ignoringRequestMatchers?.also { csrf.ignoringRequestMatchers(*ignoringRequestMatchers!!) }
            ignoringRequestMatchersPatterns?.also { csrf.ignoringRequestMatchers(*ignoringRequestMatchersPatterns!!) }
+            if (spaMode) {
+                csrf.spa()
+            }
            if (disabled) {
                csrf.disable()
            }
--- a/config/src/test/kotlin/org/springframework/security/config/annotation/web/CsrfDslTests.kt
+++ b/config/src/test/kotlin/org/springframework/security/config/annotation/web/CsrfDslTests.kt
@ -343,4 +343,40 @@ class CsrfDslTests {
				@@ -343,4 +343,40 @@ class CsrfDslTests {
            return http.build()
        }
    }
+
+    @Test
+    fun `POST when CSRF for SPA enabled and no CSRF token then forbidden`() {
+        this.spring.register(CsrfSPAConfig::class.java).autowire()
+
+        this.mockMvc.post("/test1")
+            .andExpect {
+                status { isForbidden() }
+            }
+    }
+
+    @Test
+    fun `POST when CSRF for SPA enabled and CSRF token then status OK`() {
+        this.spring.register(CsrfSPAConfig::class.java, BasicController::class.java).autowire()
+
+        this.mockMvc.post("/test1") {
+            with(csrf())
+        }.andExpect {
+            status { isOk() }
+        }
+
+    }
+
+    @Configuration
+    @EnableWebSecurity
+    open class CsrfSPAConfig {
+        @Bean
+        open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
+            http {
+                csrf {
+                    spa()
+                }
+            }
+            return http.build()
+        }
+    }
 }