Simplify CSRF Configuration for SPAs #14149
Comments
jzheaux
added
in: web
|
Note that this can be achieved with the existing DSL in the following way: public static final class CsrfCustomizers {
public static Customizer<CsrfConfigurer> spaDefaults() {
return (csrf) -> csrf
.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
.csrfTokenHandler(new SpaCsrfTokenRequestHandler());
}
private static final class SpaCsrfTokenRequestHandler implements CsrfTokenRequestHandler {
private final CsrfTokenRequestHandler plain = new CsrfTokenRequestAttributeHandler();
private final CsrfTokenRequestHandler xor = new XorCsrfTokenRequestAttributeHandler();
@Override
public void handle(HttpServletRequest request, HttpServletResponse response, Supplier<CsrfToken> csrfToken) {
this.xor.handle(request, response, csrfToken);
csrfToken.get(); // subscribe
}
@Override
public String resolveCsrfTokenValue(HttpServletRequest request, CsrfToken csrfToken) {
String header = request.getHeader(csrfToken.getHeaderName());
return ((header != null) ? this.plain : this.xor).resolveCsrfTokenValue(request, csrfToken);
}
}
} |
|
Will |
|
Would you kindly expose this Most of my OAuth2 clients (with |
|
Sure, @ch4mpy. I think that's something we could consider in the context of this ticket. I think one of the main sticky points is whether the implementation should subscribe in such a way as to ensure that the cookie is written without requiring an extra filter. It's a bit easier to hide that choice behind the context of something more opinionated like the DSL. |
@jzheaux, in my opinion, yes: when I use a customizer or configuration option called With Boot, it's easy to add I have not tried to find a way to do the same with just a customizer, but that would have the advantage to be usable even without Boot (and activating such a customizer based on properties in a Boot starter would be trivial). |
|
Just want to drop a message that this is still needed. Spent a lot of time in docs and issues figuring out what is the current correct way of to prevent CSRF for SPA in Spring Cloud Gateway (Reactive) with Spring Security.
|
|
I vote for this suggestion!! Please make things simple by reducing boilerplate code, especially for common scenario. |
|
So I fell into the same bear pit trying to figure out CSRF combined with SPA. Makes a lot of sense to add a sensible default for this imho. I made a PR for this based on the documentation and the comment by @jzheaux. Not sure if this is the right approach though, I'm not an export in spring-security nor in CSRF. But if this is something we'd like to continue I'm happy to update the documentation (edit; and my commit message and formatting apparently) accordingly. Something I noticed though is I had to add the |
…4149) Signed-off-by: Felix Hagemans <[email protected]>
|
I'm closing this ticket in favor of working with @felhag through their PR. |
For a SPA, the current recommendation for configuration CSRF is three-fold:
CsrfTokenRepositorytoCsrfTokenRepository#withHttpOnlyFalseCsrfAttributeHandlerto a custom class listed in the reference manualThe current state of the recommendation could be improved in a way that is less error-prone and requires less custom boilerplate for users.
One possibility is to provide a customizer like so:
Where said customizer would apply these three rules for them. I imagine this might look something like the following:
Where
csrfTokenRepositorySubscriptionis pseudocode for a way to supply the repository and indicate that the filter chain should automatically subscribe to the cookie as part of formulating the response (#3 in the above list) andSpaCsrfTokenRequestHandleris pseudocode for an implementation that is similar to the sample in the reference guide.The text was updated successfully, but these errors were encountered: