gateway csrf return to spring 5.8 default

it-at-m · Nov 16, 2023 · df42ca9 · df42ca9
1 parent 45763a0
commit df42ca9
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/...way/src/main/java/de/muenchen/oss/digiwf/gateway/configuration/SecurityConfiguration.java b/...way/src/main/java/de/muenchen/oss/digiwf/gateway/configuration/SecurityConfiguration.java
@@ -16,6 +16,7 @@
 import org.springframework.security.web.server.authentication.RedirectServerAuthenticationSuccessHandler;
 import org.springframework.security.web.server.authentication.logout.HttpStatusReturningServerLogoutSuccessHandler;
 import org.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository;
+import org.springframework.security.web.server.csrf.ServerCsrfTokenRequestAttributeHandler;
 import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers;
 import reactor.core.publisher.Mono;
 
@@ -59,6 +60,12 @@ public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http)
                     })
                 .cors(corsSpec -> {})
                 .csrf(csrfSpec -> {
+                    /*
+                     * Default config before spring security 6.0.
+                     * Is vulnerable to BREACH attack.
+                     * https://docs.spring.io/spring-security/reference/reactive/exploits/csrf.html#webflux-csrf-configure-request-handler
+                     */
+                    csrfSpec.csrfTokenRequestHandler(new ServerCsrfTokenRequestAttributeHandler());
                     /*
                      * The necessary subscription for csrf token attachment to {@link ServerHttpResponse}
                      * is done in class {@link CsrfTokenAppendingHelperFilter}.