GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Merge branch '6.0.x' 

Closes gh-12684
pull/12689/head
Steve Riesenberg 3 years ago
parent
c1c28375d6 c4f68d83bf
commit
5286b78308
No known key found for this signature in database
GPG Key ID: 5F311AB48A55D521
2 changed files with 16 additions and 16 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 14
      docs/modules/ROOT/pages/reactive/exploits/csrf.adoc
  2. 18
      docs/modules/ROOT/pages/servlet/exploits/csrf.adoc

14
docs/modules/ROOT/pages/reactive/exploits/csrf.adoc
Unescape View File

@ -109,14 +109,14 @@ fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain @@ -109,14 +109,14 @@ fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain
[[webflux-csrf-configure-request-handler]]
==== Configure ServerCsrfTokenRequestHandler
Spring Security's https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/CsrfWebFilter.html[`CsrfWebFilter`] exposes a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfToken.html[`Mono<CsrfToken>`] as a `ServerWebExchange` attribute named `org.springframework.security.web.server.csrf.CsrfToken` with the help of a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/ServerCsrfTokenRequestHandler.html[`ServerCsrfTokenRequestHandler`].
The default implementation is `ServerCsrfTokenRequestAttributeHandler`.
Spring Security's https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/CsrfWebFilter.html[`CsrfWebFilter`] exposes a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/CsrfToken.html[`Mono<CsrfToken>`] as a `ServerWebExchange` attribute named `org.springframework.security.web.server.csrf.CsrfToken` with the help of a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/server/csrf/ServerCsrfTokenRequestHandler.html[`ServerCsrfTokenRequestHandler`].
In 5.8, the default implementation was `ServerCsrfTokenRequestAttributeHandler`, which simply makes the `Mono<CsrfToken>` available as an exchange attribute.
An alternate implementation `XorServerCsrfTokenRequestAttributeHandler` is available to provide protection for BREACH (see https://github.com/spring-projects/spring-security/issues/4001[gh-4001]).
As of 6.0, the default implementation is `XorServerCsrfTokenRequestAttributeHandler`, which provides protection for BREACH (see https://github.com/spring-projects/spring-security/issues/4001[gh-4001]).
You can configure `XorServerCsrfTokenRequestAttributeHandler` using the following Java configuration:
If you wish to disable BREACH protection of the `CsrfToken` and revert to the 5.8 default, you can configure `ServerCsrfTokenRequestAttributeHandler` using the following Java configuration:
.Configure BREACH protection
.Disable BREACH protection
====
.Java
[source,java,role="primary"]
@ -126,7 +126,7 @@ public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) @@ -126,7 +126,7 @@ public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http)
http
// ...
.csrf(csrf -> csrf
.csrfTokenRequestHandler(new XorServerCsrfTokenRequestAttributeHandler())
.csrfTokenRequestHandler(new ServerCsrfTokenRequestAttributeHandler())
)
return http.build();
}
@ -140,7 +140,7 @@ fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain @@ -140,7 +140,7 @@ fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain
return http {
// ...
csrf {
csrfTokenRequestHandler = XorServerCsrfTokenRequestAttributeHandler()
csrfTokenRequestHandler = ServerCsrfTokenRequestAttributeHandler()
}
}
}

18
docs/modules/ROOT/pages/servlet/exploits/csrf.adoc
Unescape View File

@ -168,13 +168,13 @@ class SecurityConfig { @@ -168,13 +168,13 @@ class SecurityConfig {
==== Configure CsrfTokenRequestHandler
Spring Security's https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfFilter.html[`CsrfFilter`] exposes a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfToken.html[`CsrfToken`] as an `HttpServletRequest` attribute named `_csrf` with the help of a https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/web/csrf/CsrfTokenRequestHandler.html[CsrfTokenRequestHandler].
The default implementation is `CsrfTokenRequestAttributeHandler`.
In 5.8, the default implementation was `CsrfTokenRequestAttributeHandler` which simply makes the `_csrf` attribute available as a request attribute.
An alternate implementation `XorCsrfTokenRequestAttributeHandler` is available to provide protection for BREACH (see https://github.com/spring-projects/spring-security/issues/4001[gh-4001]).
As of 6.0, the default implementation is `XorCsrfTokenRequestAttributeHandler`, which provides protection for BREACH (see https://github.com/spring-projects/spring-security/issues/4001[gh-4001]).
You can configure `XorCsrfTokenRequestAttributeHandler` in XML using the following:
If you wish to disable BREACH protection of the `CsrfToken` and revert to the 5.8 default, you can configure `CsrfTokenRequestAttributeHandler` in XML using the following:
.Configure BREACH protection XML Configuration
.Disable BREACH protection XML Configuration
====
[source,xml]
----
@ -183,13 +183,13 @@ You can configure `XorCsrfTokenRequestAttributeHandler` in XML using the followi @@ -183,13 +183,13 @@ You can configure `XorCsrfTokenRequestAttributeHandler` in XML using the followi
<csrf request-handler-ref="requestHandler"/>
</http>
<b:bean id="requestHandler"
class="org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler"/>
class="org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler"/>
----
====
You can configure `XorCsrfTokenRequestAttributeHandler` in Java Configuration using the following:
You can configure `CsrfTokenRequestAttributeHandler` in Java Configuration using the following:
.Configure BREACH protection
.Disable BREACH protection
====
.Java
[source,java,role="primary"]
@ -201,7 +201,7 @@ public class WebSecurityConfig { @@ -201,7 +201,7 @@ public class WebSecurityConfig {
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.csrf(csrf -> csrf
.csrfTokenRequestHandler(new XorCsrfTokenRequestAttributeHandler())
.csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler())
);
return http.build();
}
@ -218,7 +218,7 @@ class SecurityConfig { @@ -218,7 +218,7 @@ class SecurityConfig {
open fun filterChain(http: HttpSecurity): SecurityFilterChain {
http {
csrf {
csrfTokenRequestHandler = XorCsrfTokenRequestAttributeHandler()
csrfTokenRequestHandler = CsrfTokenRequestAttributeHandler()
}
}
return http.build()

Write Preview
Loading…
Cancel
Save