GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Document Defer load CsrfToken 

Closes gh-12105
pull/12099/head
Rob Winch 3 years ago
parent
4938c394e4
commit
d860775b45
3 changed files with 72 additions and 24 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 5
      config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
  2. 7
      config/src/test/resources/org/springframework/security/config/http/DeferHttpSessionTests-Explicit.xml
  3. 84
      docs/modules/ROOT/pages/migration.adoc

5
config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
Unescape View File

@ -34,8 +34,6 @@ import org.springframework.security.config.test.SpringTestContextExtension;
import org.springframework.security.web.DefaultSecurityFilterChain; import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.security.web.FilterChainProxy; import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler; import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler;
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
import org.springframework.security.web.csrf.LazyCsrfTokenRepository;
import org.springframework.security.web.savedrequest.HttpSessionRequestCache; import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
import static org.mockito.ArgumentMatchers.anyBoolean; import static org.mockito.ArgumentMatchers.anyBoolean;
@ -81,8 +79,6 @@ public class DeferHttpSessionJavaConfigTests {
@Bean @Bean
DefaultSecurityFilterChain springSecurity(HttpSecurity http) throws Exception { DefaultSecurityFilterChain springSecurity(HttpSecurity http) throws Exception {
LazyCsrfTokenRepository csrfRepository = new LazyCsrfTokenRepository(new HttpSessionCsrfTokenRepository());
csrfRepository.setDeferLoadToken(true);
HttpSessionRequestCache requestCache = new HttpSessionRequestCache(); HttpSessionRequestCache requestCache = new HttpSessionRequestCache();
requestCache.setMatchingRequestParameterName("continue"); requestCache.setMatchingRequestParameterName("continue");
CsrfTokenRequestAttributeHandler requestHandler = new CsrfTokenRequestAttributeHandler(); CsrfTokenRequestAttributeHandler requestHandler = new CsrfTokenRequestAttributeHandler();
@ -103,7 +99,6 @@ public class DeferHttpSessionJavaConfigTests {
) )
.csrf((csrf) -> csrf .csrf((csrf) -> csrf
.csrfTokenRequestHandler(requestHandler) .csrfTokenRequestHandler(requestHandler)
.csrfTokenRepository(csrfRepository)
); );
// @formatter:on // @formatter:on
return http.build(); return http.build();

7
config/src/test/resources/org/springframework/security/config/http/DeferHttpSessionTests-Explicit.xml
Unescape View File

@ -30,18 +30,13 @@
security-context-explicit-save="true" security-context-explicit-save="true"
use-authorization-manager="true"> use-authorization-manager="true">
<intercept-url pattern="/**" access="permitAll"/> <intercept-url pattern="/**" access="permitAll"/>
<csrf request-handler-ref="requestHandler" <csrf request-handler-ref="requestHandler"/>
token-repository-ref="csrfRepository"/>
<request-cache ref="requestCache"/> <request-cache ref="requestCache"/>
<session-management authentication-strategy-explicit-invocation="true"/> <session-management authentication-strategy-explicit-invocation="true"/>
</http> </http>
<b:bean id="requestCache" class="org.springframework.security.web.savedrequest.HttpSessionRequestCache" <b:bean id="requestCache" class="org.springframework.security.web.savedrequest.HttpSessionRequestCache"
p:matchingRequestParameterName="continue"/> p:matchingRequestParameterName="continue"/>
<b:bean id="httpSessionCsrfRepository" class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository"/>
<b:bean id="csrfRepository" class="org.springframework.security.web.csrf.LazyCsrfTokenRepository"
c:delegate-ref="httpSessionCsrfRepository"
p:deferLoadToken="true"/>
<b:bean id="requestHandler" class="org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler" <b:bean id="requestHandler" class="org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler"
p:csrfRequestAttributeName="_csrf"/> p:csrfRequestAttributeName="_csrf"/>
<b:import resource="CsrfConfigTests-shared-userservice.xml"/> <b:import resource="CsrfConfigTests-shared-userservice.xml"/>

84
docs/modules/ROOT/pages/migration.adoc
Unescape View File

@ -13,6 +13,64 @@ endif::[]
== Servlet == Servlet
=== Defer Loading CsrfToken
In Spring Security 5, the default behavior is that the `CsrfToken` will be loaded on every request.
This means that in a typical setup, the `HttpSession` must be read for every request even if it is unnecessary.
In Spring Security 6, the default is that the lookup of the `CsrfToken` will be deferred until it is needed.
To opt into the new Spring Security 6 default, the following configuration can be used.
.Defer Loading `CsrfToken`
====
.Java
[source,java,role="primary"]
----
@Bean
DefaultSecurityFilterChain springSecurity(HttpSecurity http) throws Exception {
CsrfTokenRequestAttributeHandler requestHandler = new CsrfTokenRequestAttributeHandler();
// set the name of the attribute the CsrfToken will be populated on
requestHandler.setCsrfRequestAttributeName("_csrf");
http
// ...
.csrf((csrf) -> csrf
.csrfTokenRequestHandler(requestHandler)
);
return http.build();
}
----
.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
open fun springSecurity(http: HttpSecurity): SecurityFilterChain {
val requestHandler = CsrfTokenRequestAttributeHandler()
// set the name of the attribute the CsrfToken will be populated on
requestHandler.setCsrfRequestAttributeName("_csrf")
http {
csrf {
csrfTokenRequestHandler = requestHandler
}
}
return http.build()
}
----
.XML
[source,xml,role="secondary"]
----
<http>
<!-- ... -->
<csrf request-handler-ref="requestHandler"/>
</http>
<b:bean id="requestHandler"
class="org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler"
p:csrfRequestAttributeName="_csrf"/>
----
====
=== Explicit Save SecurityContextRepository === Explicit Save SecurityContextRepository
In Spring Security 5, the default behavior is for the xref:servlet/authentication/architecture.adoc#servlet-authentication-securitycontext[`SecurityContext`] to automatically be saved to the xref:servlet/authentication/persistence.adoc#securitycontextrepository[`SecurityContextRepository`] using the xref:servlet/authentication/persistence.adoc#securitycontextpersistencefilter[`SecurityContextPersistenceFilter`]. In Spring Security 5, the default behavior is for the xref:servlet/authentication/architecture.adoc#servlet-authentication-securitycontext[`SecurityContext`] to automatically be saved to the xref:servlet/authentication/persistence.adoc#securitycontextrepository[`SecurityContextRepository`] using the xref:servlet/authentication/persistence.adoc#securitycontextpersistencefilter[`SecurityContextPersistenceFilter`].
@ -170,10 +228,10 @@ static PermissionEvaluator permissionEvaluator() {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
companion object { companion object {
@Bean @Bean
fun permissionEvaluator(): PermissionEvaluator { fun permissionEvaluator(): PermissionEvaluator {
// ... your evaluator // ... your evaluator
} }
} }
---- ----
==== ====
@ -186,9 +244,9 @@ to:
---- ----
@Bean @Bean
static MethodSecurityExpressionHandler expressionHandler() { static MethodSecurityExpressionHandler expressionHandler() {
var expressionHandler = new DefaultMethodSecurityExpressionHandler(); var expressionHandler = new DefaultMethodSecurityExpressionHandler();
expressionHandler.setPermissionEvaluator(myPermissionEvaluator); expressionHandler.setPermissionEvaluator(myPermissionEvaluator);
return expressionHandler; return expressionHandler;
} }
---- ----
@ -196,12 +254,12 @@ static MethodSecurityExpressionHandler expressionHandler() {
[source,kotlin,role="secondary"] [source,kotlin,role="secondary"]
---- ----
companion object { companion object {
@Bean @Bean
fun expressionHandler(): MethodSecurityExpressionHandler { fun expressionHandler(): MethodSecurityExpressionHandler {
val expressionHandler = DefaultMethodSecurityExpressionHandler val expressionHandler = DefaultMethodSecurityExpressionHandler
expressionHandler.setPermissionEvaluator(myPermissionEvaluator) expressionHandler.setPermissionEvaluator(myPermissionEvaluator)
return expressionHandler return expressionHandler
} }
} }
---- ----
==== ====

Write Preview
Loading…
Cancel
Save