Processed review comments and updated documentation

Signed-off-by: Felix Hagemans <[email protected]>

Author: felhag

config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurer.java

@@ -19,9 +19,11 @@
 import java.util.ArrayList;
 import java.util.LinkedHashMap;
 import java.util.List;
+import java.util.function.Supplier;
 
 import io.micrometer.observation.ObservationRegistry;
 import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 
 import org.springframework.context.ApplicationContext;
 import org.springframework.security.access.AccessDeniedException;
@@ -34,20 +36,25 @@
 import org.springframework.security.web.access.DelegatingAccessDeniedHandler;
 import org.springframework.security.web.access.ObservationMarkingAccessDeniedHandler;
 import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 import org.springframework.security.web.csrf.CsrfAuthenticationStrategy;
 import org.springframework.security.web.csrf.CsrfFilter;
 import org.springframework.security.web.csrf.CsrfLogoutHandler;
+import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.security.web.csrf.CsrfTokenRepository;
+import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler;
 import org.springframework.security.web.csrf.CsrfTokenRequestHandler;
 import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
 import org.springframework.security.web.csrf.MissingCsrfTokenException;
+import org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler;
 import org.springframework.security.web.session.InvalidSessionAccessDeniedHandler;
 import org.springframework.security.web.session.InvalidSessionStrategy;
 import org.springframework.security.web.util.matcher.AndRequestMatcher;
 import org.springframework.security.web.util.matcher.NegatedRequestMatcher;
 import org.springframework.security.web.util.matcher.OrRequestMatcher;
 import org.springframework.security.web.util.matcher.RequestMatcher;
 import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
 
 /**
  * Adds
@@ -214,6 +221,21 @@ public CsrfConfigurer<H> sessionAuthenticationStrategy(
 		return this;
 	}
 
+	/**
+	 * <p>
+	 * Sensible CSRF defaults when used in combination with a single page application.
+	 * Creates a cookie-based token repository and a custom request handler to resolve the
+	 * actual token value instead of the encoded token.
+	 * </p>
+	 * @return the {@link CsrfConfigurer} for further customizations
+	 * @since 7.0
+	 */
+	public CsrfConfigurer<H> spa() {
+		this.csrfTokenRepository = CookieCsrfTokenRepository.withHttpOnlyFalse();
+		this.requestHandler = new SpaCsrfTokenRequestHandler();
+		return this;
+	}
+
 	@SuppressWarnings("unchecked")
 	@Override
 	public void configure(H http) {
@@ -375,4 +397,42 @@ protected IgnoreCsrfProtectionRegistry chainRequestMatchers(List<RequestMatcher>
 
 	}
 
+	private static class SpaCsrfTokenRequestHandler implements CsrfTokenRequestHandler {
+
+		private final CsrfTokenRequestAttributeHandler plain = new CsrfTokenRequestAttributeHandler();
+
+		private final CsrfTokenRequestAttributeHandler xor = new XorCsrfTokenRequestAttributeHandler();
+
+		SpaCsrfTokenRequestHandler() {
+			this.xor.setCsrfRequestAttributeName(null);
+		}
+
+		@Override
+		public void handle(HttpServletRequest request, HttpServletResponse response, Supplier<CsrfToken> csrfToken) {
+			/*
+			 * Always use XorCsrfTokenRequestAttributeHandler to provide BREACH protection
+			 * of the CsrfToken when it is rendered in the response body.
+			 */
+			this.xor.handle(request, response, csrfToken);
+		}
+
+		@Override
+		public String resolveCsrfTokenValue(HttpServletRequest request, CsrfToken csrfToken) {
+			String headerValue = request.getHeader(csrfToken.getHeaderName());
+			/*
+			 * If the request contains a request header, use
+			 * CsrfTokenRequestAttributeHandler to resolve the CsrfToken. This applies
+			 * when a single-page application includes the header value automatically,
+			 * which was obtained via a cookie containing the raw CsrfToken.
+			 *
+			 * In all other cases (e.g. if the request contains a request parameter), use
+			 * XorCsrfTokenRequestAttributeHandler to resolve the CsrfToken. This applies
+			 * when a server-side rendered form includes the _csrf request parameter as a
+			 * hidden input.
+			 */
+			return (StringUtils.hasText(headerValue) ? this.plain : this.xor).resolveCsrfTokenValue(request, csrfToken);
+		}
+
+	}
+
 }

config/src/main/java/org/springframework/security/config/annotation/web/configurers/CsrfCustomizer.java

@@ -92,7 +92,10 @@
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.put;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.request;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.cookie;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 /**
  * Tests for {@link CsrfConfigurer}
@@ -114,72 +117,72 @@ public class CsrfConfigurerTests {
 	@Test
 	public void postWhenWebSecurityEnabledThenRespondsWithForbidden() throws Exception {
 		this.spring
-				.register(CsrfAppliedDefaultConfig.class, AllowHttpMethodsFirewallConfig.class, BasicController.class)
-				.autowire();
+			.register(CsrfAppliedDefaultConfig.class, AllowHttpMethodsFirewallConfig.class, BasicController.class)
+			.autowire();
 		this.mvc.perform(post("/")).andExpect(status().isForbidden());
 	}
 
 	@Test
 	public void putWhenWebSecurityEnabledThenRespondsWithForbidden() throws Exception {
 		this.spring
-				.register(CsrfAppliedDefaultConfig.class, AllowHttpMethodsFirewallConfig.class, BasicController.class)
-				.autowire();
+			.register(CsrfAppliedDefaultConfig.class, AllowHttpMethodsFirewallConfig.class, BasicController.class)
+			.autowire();
 		this.mvc.perform(put("/")).andExpect(status().isForbidden());
 	}
 
 	@Test
 	public void patchWhenWebSecurityEnabledThenRespondsWithForbidden() throws Exception {
 		this.spring
-				.register(CsrfAppliedDefaultConfig.class, AllowHttpMethodsFirewallConfig.class, BasicController.class)
-				.autowire();
+			.register(CsrfAppliedDefaultConfig.class, AllowHttpMethodsFirewallConfig.class, BasicController.class)
+			.autowire();
 		this.mvc.perform(patch("/")).andExpect(status().isForbidden());
 	}
 
 	@Test
 	public void deleteWhenWebSecurityEnabledThenRespondsWithForbidden() throws Exception {
 		this.spring
-				.register(CsrfAppliedDefaultConfig.class, AllowHttpMethodsFirewallConfig.class, BasicController.class)
-				.autowire();
+			.register(CsrfAppliedDefaultConfig.class, AllowHttpMethodsFirewallConfig.class, BasicController.class)
+			.autowire();
 		this.mvc.perform(delete("/")).andExpect(status().isForbidden());
 	}
 
 	@Test
 	public void invalidWhenWebSecurityEnabledThenRespondsWithForbidden() throws Exception {
 		this.spring
-				.register(CsrfAppliedDefaultConfig.class, AllowHttpMethodsFirewallConfig.class, BasicController.class)
-				.autowire();
+			.register(CsrfAppliedDefaultConfig.class, AllowHttpMethodsFirewallConfig.class, BasicController.class)
+			.autowire();
 		this.mvc.perform(request("INVALID", URI.create("/"))).andExpect(status().isForbidden());
 	}
 
 	@Test
 	public void getWhenWebSecurityEnabledThenRespondsWithOk() throws Exception {
 		this.spring
-				.register(CsrfAppliedDefaultConfig.class, AllowHttpMethodsFirewallConfig.class, BasicController.class)
-				.autowire();
+			.register(CsrfAppliedDefaultConfig.class, AllowHttpMethodsFirewallConfig.class, BasicController.class)
+			.autowire();
 		this.mvc.perform(get("/")).andExpect(status().isOk());
 	}
 
 	@Test
 	public void headWhenWebSecurityEnabledThenRespondsWithOk() throws Exception {
 		this.spring
-				.register(CsrfAppliedDefaultConfig.class, AllowHttpMethodsFirewallConfig.class, BasicController.class)
-				.autowire();
+			.register(CsrfAppliedDefaultConfig.class, AllowHttpMethodsFirewallConfig.class, BasicController.class)
+			.autowire();
 		this.mvc.perform(head("/")).andExpect(status().isOk());
 	}
 
 	@Test
 	public void traceWhenWebSecurityEnabledThenRespondsWithOk() throws Exception {
 		this.spring
-				.register(CsrfAppliedDefaultConfig.class, AllowHttpMethodsFirewallConfig.class, BasicController.class)
-				.autowire();
+			.register(CsrfAppliedDefaultConfig.class, AllowHttpMethodsFirewallConfig.class, BasicController.class)
+			.autowire();
 		this.mvc.perform(request(HttpMethod.TRACE, "/")).andExpect(status().isOk());
 	}
 
 	@Test
 	public void optionsWhenWebSecurityEnabledThenRespondsWithOk() throws Exception {
 		this.spring
-				.register(CsrfAppliedDefaultConfig.class, AllowHttpMethodsFirewallConfig.class, BasicController.class)
-				.autowire();
+			.register(CsrfAppliedDefaultConfig.class, AllowHttpMethodsFirewallConfig.class, BasicController.class)
+			.autowire();
 		this.mvc.perform(options("/")).andExpect(status().isOk());
 	}
 
@@ -209,11 +212,11 @@ public void loginWhenCsrfDisabledThenRedirectsToPreviousPostRequest() throws Exc
 		RequestCache requestCache = new HttpSessionRequestCache();
 		String redirectUrl = requestCache.getRequest(mvcResult.getRequest(), mvcResult.getResponse()).getRedirectUrl();
 		this.mvc
-				.perform(post("/login").param("username", "user")
-						.param("password", "password")
-						.session((MockHttpSession) mvcResult.getRequest().getSession()))
-				.andExpect(status().isFound())
-				.andExpect(redirectedUrl(redirectUrl));
+			.perform(post("/login").param("username", "user")
+				.param("password", "password")
+				.session((MockHttpSession) mvcResult.getRequest().getSession()))
+			.andExpect(status().isFound())
+			.andExpect(redirectedUrl(redirectUrl));
 	}
 
 	@Test
@@ -222,18 +225,18 @@ public void loginWhenCsrfEnabledThenDoesNotRedirectToPreviousPostRequest() throw
 		DefaultCsrfToken csrfToken = new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "token");
 		given(CsrfDisablesPostRequestFromRequestCacheConfig.REPO.loadDeferredToken(any(HttpServletRequest.class),
 				any(HttpServletResponse.class)))
-				.willReturn(new TestDeferredCsrfToken(csrfToken));
+			.willReturn(new TestDeferredCsrfToken(csrfToken));
 		this.spring.register(CsrfDisablesPostRequestFromRequestCacheConfig.class).autowire();
 		MvcResult mvcResult = this.mvc.perform(post("/some-url")).andReturn();
 		this.mvc
-				.perform(post("/login").param("username", "user")
-						.param("password", "password")
-						.with(csrf())
-						.session((MockHttpSession) mvcResult.getRequest().getSession()))
-				.andExpect(status().isFound())
-				.andExpect(redirectedUrl("/"));
+			.perform(post("/login").param("username", "user")
+				.param("password", "password")
+				.with(csrf())
+				.session((MockHttpSession) mvcResult.getRequest().getSession()))
+			.andExpect(status().isFound())
+			.andExpect(redirectedUrl("/"));
 		verify(CsrfDisablesPostRequestFromRequestCacheConfig.REPO, atLeastOnce())
-				.loadDeferredToken(any(HttpServletRequest.class), any(HttpServletResponse.class));
+			.loadDeferredToken(any(HttpServletRequest.class), any(HttpServletResponse.class));
 	}
 
 	@Test
@@ -242,32 +245,32 @@ public void loginWhenCsrfEnabledThenRedirectsToPreviousGetRequest() throws Excep
 		DefaultCsrfToken csrfToken = new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "token");
 		given(CsrfDisablesPostRequestFromRequestCacheConfig.REPO.loadDeferredToken(any(HttpServletRequest.class),
 				any(HttpServletResponse.class)))
-				.willReturn(new TestDeferredCsrfToken(csrfToken));
+			.willReturn(new TestDeferredCsrfToken(csrfToken));
 		this.spring.register(CsrfDisablesPostRequestFromRequestCacheConfig.class).autowire();
 		MvcResult mvcResult = this.mvc.perform(get("/some-url")).andReturn();
 		RequestCache requestCache = new HttpSessionRequestCache();
 		String redirectUrl = requestCache.getRequest(mvcResult.getRequest(), mvcResult.getResponse()).getRedirectUrl();
 		this.mvc
-				.perform(post("/login").param("username", "user")
-						.param("password", "password")
-						.with(csrf())
-						.session((MockHttpSession) mvcResult.getRequest().getSession()))
-				.andExpect(status().isFound())
-				.andExpect(redirectedUrl(redirectUrl));
+			.perform(post("/login").param("username", "user")
+				.param("password", "password")
+				.with(csrf())
+				.session((MockHttpSession) mvcResult.getRequest().getSession()))
+			.andExpect(status().isFound())
+			.andExpect(redirectedUrl(redirectUrl));
 		verify(CsrfDisablesPostRequestFromRequestCacheConfig.REPO, atLeastOnce())
-				.loadDeferredToken(any(HttpServletRequest.class), any(HttpServletResponse.class));
+			.loadDeferredToken(any(HttpServletRequest.class), any(HttpServletResponse.class));
 	}
 
 	// SEC-2422
 	@Test
 	public void postWhenCsrfEnabledAndSessionIsExpiredThenRespondsWithForbidden() throws Exception {
 		this.spring.register(InvalidSessionUrlConfig.class).autowire();
 		MvcResult mvcResult = this.mvc.perform(post("/").param("_csrf", "abc"))
-				.andExpect(status().isFound())
-				.andExpect(redirectedUrl("/error/sessionError"))
-				.andReturn();
+			.andExpect(status().isFound())
+			.andExpect(redirectedUrl("/error/sessionError"))
+			.andReturn();
 		this.mvc.perform(post("/").session((MockHttpSession) mvcResult.getRequest().getSession()))
-				.andExpect(status().isForbidden());
+			.andExpect(status().isForbidden());
 	}
 
 	@Test
@@ -306,7 +309,7 @@ public void postWhenCustomCsrfTokenRepositoryThenRepositoryIsUsed() throws Excep
 		CsrfTokenRepositoryConfig.REPO = mock(CsrfTokenRepository.class);
 		given(CsrfTokenRepositoryConfig.REPO.loadDeferredToken(any(HttpServletRequest.class),
 				any(HttpServletResponse.class)))
-				.willReturn(new TestDeferredCsrfToken(new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "token")));
+			.willReturn(new TestDeferredCsrfToken(new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "token")));
 		this.spring.register(CsrfTokenRepositoryConfig.class, BasicController.class).autowire();
 		this.mvc.perform(post("/"));
 		verify(CsrfTokenRepositoryConfig.REPO).loadDeferredToken(any(HttpServletRequest.class),
@@ -329,7 +332,7 @@ public void loginWhenCustomCsrfTokenRepositoryThenCsrfTokenIsCleared() throws Ex
 		given(CsrfTokenRepositoryConfig.REPO.loadToken(any())).willReturn(csrfToken);
 		given(CsrfTokenRepositoryConfig.REPO.loadDeferredToken(any(HttpServletRequest.class),
 				any(HttpServletResponse.class)))
-				.willReturn(new TestDeferredCsrfToken(csrfToken));
+			.willReturn(new TestDeferredCsrfToken(csrfToken));
 		this.spring.register(CsrfTokenRepositoryConfig.class, BasicController.class).autowire();
 		// @formatter:off
 		MockHttpServletRequestBuilder loginRequest = post("/login")
@@ -348,7 +351,7 @@ public void getWhenCustomCsrfTokenRepositoryInLambdaThenRepositoryIsUsed() throw
 		CsrfTokenRepositoryInLambdaConfig.REPO = mock(CsrfTokenRepository.class);
 		given(CsrfTokenRepositoryInLambdaConfig.REPO.loadDeferredToken(any(HttpServletRequest.class),
 				any(HttpServletResponse.class)))
-				.willReturn(new TestDeferredCsrfToken(new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "token")));
+			.willReturn(new TestDeferredCsrfToken(new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "token")));
 		this.spring.register(CsrfTokenRepositoryInLambdaConfig.class, BasicController.class).autowire();
 		this.mvc.perform(post("/"));
 		verify(CsrfTokenRepositoryInLambdaConfig.REPO).loadDeferredToken(any(HttpServletRequest.class),
@@ -418,8 +421,8 @@ public void logoutWhenGetRequestAndGetEnabledForLogoutThenLogsOut() throws Excep
 	@Test
 	public void configureWhenRequireCsrfProtectionMatcherNullThenException() {
 		assertThatExceptionOfType(BeanCreationException.class)
-				.isThrownBy(() -> this.spring.register(NullRequireCsrfProtectionMatcherConfig.class).autowire())
-				.withRootCauseInstanceOf(IllegalArgumentException.class);
+			.isThrownBy(() -> this.spring.register(NullRequireCsrfProtectionMatcherConfig.class).autowire())
+			.withRootCauseInstanceOf(IllegalArgumentException.class);
 	}
 
 	@Test
@@ -432,8 +435,8 @@ public void getWhenDefaultCsrfTokenRepositoryThenDoesNotCreateSession() throws E
 	@Test
 	public void getWhenNullAuthenticationStrategyThenException() {
 		assertThatExceptionOfType(BeanCreationException.class)
-				.isThrownBy(() -> this.spring.register(NullAuthenticationStrategy.class).autowire())
-				.withRootCauseInstanceOf(IllegalArgumentException.class);
+			.isThrownBy(() -> this.spring.register(NullAuthenticationStrategy.class).autowire())
+			.withRootCauseInstanceOf(IllegalArgumentException.class);
 	}
 
 	@Test
@@ -456,13 +459,13 @@ public void getLoginWhenCsrfTokenRequestAttributeHandlerSetThenRespondsWithNorma
 		CsrfTokenRepository csrfTokenRepository = mock(CsrfTokenRepository.class);
 		CsrfToken csrfToken = new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "token");
 		given(csrfTokenRepository.loadDeferredToken(any(HttpServletRequest.class), any(HttpServletResponse.class)))
-				.willReturn(new TestDeferredCsrfToken(csrfToken));
+			.willReturn(new TestDeferredCsrfToken(csrfToken));
 		CsrfTokenRequestHandlerConfig.REPO = csrfTokenRepository;
 		CsrfTokenRequestHandlerConfig.HANDLER = new CsrfTokenRequestAttributeHandler();
 		this.spring.register(CsrfTokenRequestHandlerConfig.class, BasicController.class).autowire();
 		this.mvc.perform(get("/login"))
-				.andExpect(status().isOk())
-				.andExpect(content().string(containsString(csrfToken.getToken())));
+			.andExpect(status().isOk())
+			.andExpect(content().string(containsString(csrfToken.getToken())));
 		verify(csrfTokenRepository).loadDeferredToken(any(HttpServletRequest.class), any(HttpServletResponse.class));
 		verifyNoMoreInteractions(csrfTokenRepository);
 	}
@@ -473,7 +476,7 @@ public void loginWhenCsrfTokenRequestAttributeHandlerSetAndNormalCsrfTokenThenSu
 		CsrfTokenRepository csrfTokenRepository = mock(CsrfTokenRepository.class);
 		given(csrfTokenRepository.loadToken(any(HttpServletRequest.class))).willReturn(csrfToken);
 		given(csrfTokenRepository.loadDeferredToken(any(HttpServletRequest.class), any(HttpServletResponse.class)))
-				.willReturn(new TestDeferredCsrfToken(csrfToken));
+			.willReturn(new TestDeferredCsrfToken(csrfToken));
 		CsrfTokenRequestHandlerConfig.REPO = csrfTokenRepository;
 		CsrfTokenRequestHandlerConfig.HANDLER = new CsrfTokenRequestAttributeHandler();
 		this.spring.register(CsrfTokenRequestHandlerConfig.class, BasicController.class).autowire();
@@ -497,13 +500,13 @@ public void getLoginWhenXorCsrfTokenRequestAttributeHandlerSetThenRespondsWithMa
 		CsrfTokenRepository csrfTokenRepository = mock(CsrfTokenRepository.class);
 		CsrfToken csrfToken = new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "token");
 		given(csrfTokenRepository.loadDeferredToken(any(HttpServletRequest.class), any(HttpServletResponse.class)))
-				.willReturn(new TestDeferredCsrfToken(csrfToken));
+			.willReturn(new TestDeferredCsrfToken(csrfToken));
 		CsrfTokenRequestHandlerConfig.REPO = csrfTokenRepository;
 		CsrfTokenRequestHandlerConfig.HANDLER = new XorCsrfTokenRequestAttributeHandler();
 		this.spring.register(CsrfTokenRequestHandlerConfig.class, BasicController.class).autowire();
 		this.mvc.perform(get("/login"))
-				.andExpect(status().isOk())
-				.andExpect(content().string(not(containsString(csrfToken.getToken()))));
+			.andExpect(status().isOk())
+			.andExpect(content().string(not(containsString(csrfToken.getToken()))));
 		verify(csrfTokenRepository).loadDeferredToken(any(HttpServletRequest.class), any(HttpServletResponse.class));
 		verifyNoMoreInteractions(csrfTokenRepository);
 	}
@@ -514,7 +517,7 @@ public void loginWhenXorCsrfTokenRequestAttributeHandlerSetAndMaskedCsrfTokenThe
 		CsrfTokenRepository csrfTokenRepository = mock(CsrfTokenRepository.class);
 		given(csrfTokenRepository.loadToken(any(HttpServletRequest.class))).willReturn(csrfToken);
 		given(csrfTokenRepository.loadDeferredToken(any(HttpServletRequest.class), any(HttpServletResponse.class)))
-				.willReturn(new TestDeferredCsrfToken(csrfToken));
+			.willReturn(new TestDeferredCsrfToken(csrfToken));
 		CsrfTokenRequestHandlerConfig.REPO = csrfTokenRepository;
 		CsrfTokenRequestHandlerConfig.HANDLER = new XorCsrfTokenRequestAttributeHandler();
 		this.spring.register(CsrfTokenRequestHandlerConfig.class, BasicController.class).autowire();
@@ -576,8 +579,8 @@ public void postWhenHttpBasicAndCookieCsrfTokenRepositorySetAndExistingTokenThen
 		headers.setBasicAuth("user", "password");
 		// @formatter:off
 		MvcResult mvcResult = this.mvc.perform(post("/")
-						.cookie(existingCookie)
-						.headers(headers))
+				.cookie(existingCookie)
+				.headers(headers))
 				.andExpect(status().isOk())
 				.andReturn();
 		// @formatter:on
@@ -602,7 +605,7 @@ public void getWhenHttpBasicAndCookieCsrfTokenRepositorySetAndNoExistingCookieTh
 		headers.setBasicAuth("user", "password");
 		// @formatter:off
 		MvcResult mvcResult = this.mvc.perform(get("/")
-						.headers(headers))
+				.headers(headers))
 				.andExpect(status().isOk())
 				.andReturn();
 		// @formatter:on
@@ -613,35 +616,33 @@ public void getWhenHttpBasicAndCookieCsrfTokenRepositorySetAndNoExistingCookieTh
 
 	@Test
 	public void spaConfigForbidden() throws Exception {
-		this.spring
-				.register(CsrfSpaConfig.class, AllowHttpMethodsFirewallConfig.class, BasicController.class)
-				.autowire();
+		this.spring.register(CsrfSpaConfig.class, AllowHttpMethodsFirewallConfig.class, BasicController.class)
+			.autowire();
 		this.mvc.perform(post("/")).andExpect(status().isForbidden());
 	}
 
 	@Test
 	public void spaConfigOk() throws Exception {
-		this.spring
-				.register(CsrfSpaConfig.class, AllowHttpMethodsFirewallConfig.class, BasicController.class)
-				.autowire();
+		this.spring.register(CsrfSpaConfig.class, AllowHttpMethodsFirewallConfig.class, BasicController.class)
+			.autowire();
 		this.mvc.perform(post("/").with(csrf())).andExpect(status().isOk());
 	}
 
 	@Test
 	public void spaConfigDoubleSubmit() throws Exception {
-		this.spring
-				.register(CsrfSpaConfig.class, AllowHttpMethodsFirewallConfig.class, BasicController.class)
-				.autowire();
-		var token = this.mvc
-				.perform(post("/"))
-				.andExpect(status().isForbidden())
-				.andExpect(cookie().exists("XSRF-TOKEN"))
-				.andReturn().getResponse().getCookie("XSRF-TOKEN");
+		this.spring.register(CsrfSpaConfig.class, AllowHttpMethodsFirewallConfig.class, BasicController.class)
+			.autowire();
+		var token = this.mvc.perform(post("/"))
+			.andExpect(status().isForbidden())
+			.andExpect(cookie().exists("XSRF-TOKEN"))
+			.andReturn()
+			.getResponse()
+			.getCookie("XSRF-TOKEN");
 
-		this.mvc.perform(post("/")
-						.header("X-XSRF-TOKEN", token.getValue())
-						.cookie(new Cookie("XSRF-TOKEN", token.getValue())))
-				.andExpect(status().isOk());
+		this.mvc
+			.perform(post("/").header("X-XSRF-TOKEN", token.getValue())
+				.cookie(new Cookie("XSRF-TOKEN", token.getValue())))
+			.andExpect(status().isOk());
 	}
 
 	@Configuration
@@ -675,7 +676,7 @@ static class DisableCsrfConfig {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-					.csrf()
+				.csrf()
 					.disable();
 			return http.build();
 			// @formatter:on
@@ -691,7 +692,7 @@ static class DisableCsrfInLambdaConfig {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-					.csrf(AbstractHttpConfigurer::disable);
+				.csrf(AbstractHttpConfigurer::disable);
 			return http.build();
 			// @formatter:on
 		}
@@ -706,12 +707,12 @@ static class DisableCsrfEnablesRequestCacheConfig {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-					.authorizeRequests()
+				.authorizeRequests()
 					.anyRequest().authenticated()
 					.and()
-					.formLogin()
+				.formLogin()
 					.and()
-					.csrf()
+				.csrf()
 					.disable();
 			// @formatter:on
 			return http.build();
@@ -734,12 +735,12 @@ static class CsrfDisablesPostRequestFromRequestCacheConfig {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-					.authorizeRequests()
+				.authorizeRequests()
 					.anyRequest().authenticated()
 					.and()
-					.formLogin()
+				.formLogin()
 					.and()
-					.csrf()
+				.csrf()
 					.csrfTokenRepository(REPO);
 			// @formatter:on
 			return http.build();
@@ -760,9 +761,9 @@ static class InvalidSessionUrlConfig {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-					.csrf()
+				.csrf()
 					.and()
-					.sessionManagement()
+				.sessionManagement()
 					.invalidSessionUrl("/error/sessionError");
 			return http.build();
 			// @formatter:on
@@ -780,7 +781,7 @@ static class RequireCsrfProtectionMatcherConfig {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-					.csrf()
+				.csrf()
 					.requireCsrfProtectionMatcher(MATCHER);
 			return http.build();
 			// @formatter:on
@@ -798,7 +799,7 @@ static class RequireCsrfProtectionMatcherInLambdaConfig {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-					.csrf((csrf) -> csrf.requireCsrfProtectionMatcher(MATCHER));
+				.csrf((csrf) -> csrf.requireCsrfProtectionMatcher(MATCHER));
 			return http.build();
 			// @formatter:on
 		}
@@ -815,9 +816,9 @@ static class CsrfTokenRepositoryConfig {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-					.formLogin()
+				.formLogin()
 					.and()
-					.csrf()
+				.csrf()
 					.csrfTokenRepository(REPO);
 			// @formatter:on
 			return http.build();
@@ -840,8 +841,8 @@ static class CsrfTokenRepositoryInLambdaConfig {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-					.formLogin(withDefaults())
-					.csrf((csrf) -> csrf.csrfTokenRepository(REPO));
+				.formLogin(withDefaults())
+				.csrf((csrf) -> csrf.csrfTokenRepository(REPO));
 			return http.build();
 			// @formatter:on
 		}
@@ -858,7 +859,7 @@ static class AccessDeniedHandlerConfig {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-					.exceptionHandling()
+				.exceptionHandling()
 					.accessDeniedHandler(DENIED_HANDLER);
 			return http.build();
 			// @formatter:on
@@ -878,7 +879,7 @@ static class DefaultAccessDeniedHandlerForConfig {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-					.exceptionHandling()
+				.exceptionHandling()
 					.defaultAccessDeniedHandlerFor(DENIED_HANDLER, MATCHER);
 			return http.build();
 			// @formatter:on
@@ -894,7 +895,7 @@ static class FormLoginConfig {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-					.formLogin();
+				.formLogin();
 			return http.build();
 			// @formatter:on
 		}
@@ -909,9 +910,9 @@ static class LogoutAllowsGetConfig {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-					.formLogin()
+				.formLogin()
 					.and()
-					.logout()
+				.logout()
 					.logoutRequestMatcher(new AntPathRequestMatcher("/logout"));
 			return http.build();
 			// @formatter:on
@@ -927,7 +928,7 @@ static class NullRequireCsrfProtectionMatcherConfig {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-					.csrf()
+				.csrf()
 					.requireCsrfProtectionMatcher(null);
 			return http.build();
 			// @formatter:on
@@ -943,12 +944,12 @@ static class DefaultDoesNotCreateSession {
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-					.authorizeRequests()
+				.authorizeRequests()
 					.anyRequest().permitAll()
 					.and()
-					.formLogin()
+				.formLogin()
 					.and()
-					.httpBasic();
+				.httpBasic();
 			// @formatter:on
 			return http.build();
 		}
@@ -1013,14 +1014,14 @@ static class CsrfTokenRequestHandlerConfig {
 		SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-					.authorizeHttpRequests((authorize) -> authorize
-							.anyRequest().authenticated()
-					)
-					.formLogin(Customizer.withDefaults())
-					.csrf((csrf) -> csrf
-							.csrfTokenRepository(REPO)
-							.csrfTokenRequestHandler(HANDLER)
-					);
+				.authorizeHttpRequests((authorize) -> authorize
+					.anyRequest().authenticated()
+				)
+				.formLogin(Customizer.withDefaults())
+				.csrf((csrf) -> csrf
+					.csrfTokenRepository(REPO)
+					.csrfTokenRequestHandler(HANDLER)
+				);
 			// @formatter:on
 
 			return http.build();
@@ -1043,11 +1044,11 @@ static class CsrfSpaConfig {
 
 		@Bean
 		SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-			http.csrf(CsrfCustomizer.spaDefaults());
+			http.csrf(CsrfConfigurer::spa);
 			return http.build();
 		}
-	}
 
+	}
 
 	@Configuration
 	@EnableWebSecurity
@@ -1061,14 +1062,14 @@ static class HttpBasicCsrfTokenRequestHandlerConfig {
 		SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
-					.authorizeHttpRequests((authorize) -> authorize
-							.anyRequest().authenticated()
-					)
-					.httpBasic(Customizer.withDefaults())
-					.csrf((csrf) -> csrf
-							.csrfTokenRepository(REPO)
-							.csrfTokenRequestHandler(HANDLER)
-					);
+				.authorizeHttpRequests((authorize) -> authorize
+					.anyRequest().authenticated()
+				)
+				.httpBasic(Customizer.withDefaults())
+				.csrf((csrf) -> csrf
+					.csrfTokenRepository(REPO)
+					.csrfTokenRequestHandler(HANDLER)
+				);
 			// @formatter:on
 
 			return http.build();
@@ -1078,7 +1079,7 @@ SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 		void configure(AuthenticationManagerBuilder auth) throws Exception {
 			// @formatter:off
 			auth
-					.inMemoryAuthentication()
+				.inMemoryAuthentication()
 					.withUser(PasswordEncodedUser.user());
 			// @formatter:on
 		}

config/src/test/java/org/springframework/security/config/annotation/web/configurers/CsrfConfigurerTests.java

@@ -787,48 +787,10 @@ public class SecurityConfig {
 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 		http
 			// ...
-			.csrf((csrf) -> csrf
-				.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())   // <1>
-				.csrfTokenRequestHandler(new SpaCsrfTokenRequestHandler())            // <2>
-			);
+			.csrf((csrf) -> csrf.spa());
 		return http.build();
 	}
 }
-
-final class SpaCsrfTokenRequestHandler implements CsrfTokenRequestHandler {
-	private final CsrfTokenRequestHandler plain = new CsrfTokenRequestAttributeHandler();
-	private final CsrfTokenRequestHandler xor = new XorCsrfTokenRequestAttributeHandler();
-
-	@Override
-	public void handle(HttpServletRequest request, HttpServletResponse response, Supplier<CsrfToken> csrfToken) {
-		/*
-		 * Always use XorCsrfTokenRequestAttributeHandler to provide BREACH protection of
-		 * the CsrfToken when it is rendered in the response body.
-		 */
-		this.xor.handle(request, response, csrfToken);
-		/*
-		 * Render the token value to a cookie by causing the deferred token to be loaded.
-		 */
-		csrfToken.get();
-	}
-
-	@Override
-	public String resolveCsrfTokenValue(HttpServletRequest request, CsrfToken csrfToken) {
-		String headerValue = request.getHeader(csrfToken.getHeaderName());
-		/*
-		 * If the request contains a request header, use CsrfTokenRequestAttributeHandler
-		 * to resolve the CsrfToken. This applies when a single-page application includes
-		 * the header value automatically, which was obtained via a cookie containing the
-		 * raw CsrfToken.
-		 *
-		 * In all other cases (e.g. if the request contains a request parameter), use
-		 * XorCsrfTokenRequestAttributeHandler to resolve the CsrfToken. This applies
-		 * when a server-side rendered form includes the _csrf request parameter as a
-		 * hidden input.
-		 */
-		return (StringUtils.hasText(headerValue) ? this.plain : this.xor).resolveCsrfTokenValue(request, csrfToken);
-	}
-}
 ----
 
 Kotlin::
@@ -846,51 +808,12 @@ class SecurityConfig {
         http {
             // ...
             csrf {
-                csrfTokenRepository = CookieCsrfTokenRepository.withHttpOnlyFalse()   // <1>
-                csrfTokenRequestHandler = SpaCsrfTokenRequestHandler()                // <2>
+                spa()
             }
         }
         return http.build()
     }
 }
-
-class SpaCsrfTokenRequestHandler : CsrfTokenRequestHandler {
-    private val plain: CsrfTokenRequestHandler = CsrfTokenRequestAttributeHandler()
-    private val xor: CsrfTokenRequestHandler = XorCsrfTokenRequestAttributeHandler()
-
-    override fun handle(request: HttpServletRequest, response: HttpServletResponse, csrfToken: Supplier<CsrfToken>) {
-        /*
-         * Always use XorCsrfTokenRequestAttributeHandler to provide BREACH protection of
-         * the CsrfToken when it is rendered in the response body.
-         */
-        xor.handle(request, response, csrfToken)
-        /*
-         * Render the token value to a cookie by causing the deferred token to be loaded.
-         */
-        csrfToken.get()
-    }
-
-    override fun resolveCsrfTokenValue(request: HttpServletRequest, csrfToken: CsrfToken): String? {
-        val headerValue = request.getHeader(csrfToken.headerName)
-        /*
-         * If the request contains a request header, use CsrfTokenRequestAttributeHandler
-         * to resolve the CsrfToken. This applies when a single-page application includes
-         * the header value automatically, which was obtained via a cookie containing the
-         * raw CsrfToken.
-         */
-        return if (StringUtils.hasText(headerValue)) {
-            plain
-        } else {
-            /*
-             * In all other cases (e.g. if the request contains a request parameter), use
-             * XorCsrfTokenRequestAttributeHandler to resolve the CsrfToken. This applies
-             * when a server-side rendered form includes the _csrf request parameter as a
-             * hidden input.
-             */
-            xor
-        }.resolveCsrfTokenValue(request, csrfToken)
-    }
-}
 ----
 
 XML::
@@ -899,22 +822,13 @@ XML::
 ----
 <http>
 	<!-- ... -->
-	<csrf
-		token-repository-ref="tokenRepository"                                        <1>
-		request-handler-ref="requestHandler"/>                                        <2>
+	<csrf>
+        <spa />
+    </csrf>
 </http>
-<b:bean id="tokenRepository"
-	class="org.springframework.security.web.csrf.CookieCsrfTokenRepository"
-	p:cookieHttpOnly="false"/>
-<b:bean id="requestHandler"
-	class="example.SpaCsrfTokenRequestHandler"/>
 ----
 ======
 
-<1> Configure `CookieCsrfTokenRepository` with `HttpOnly` set to `false` so the cookie can be read by the JavaScript application.
-<2> Configure a custom `CsrfTokenRequestHandler` that resolves the CSRF token based on whether it is an HTTP request header (`X-XSRF-TOKEN`) or request parameter (`_csrf`).
-    This implementation also causes the deferred `CsrfToken` to be loaded on every request, which will return a new cookie if needed.
-
 [[csrf-integration-javascript-mpa]]
 ==== Multi-Page Applications