1

I try to override csrf token creation with CsrfTokenRepository. The solution works well with spring-boot 2.x but does not work with 3.x:

Configuration class:

@Configuration
@EnableWebSecurity
public class ProjectConfig  {

    @Bean
    public CsrfTokenRepository customTokenRepository() {
        return new CustomCsrfTokenRepository();
    }

    @Bean
    public SecurityFilterChain configuration(HttpSecurity http) throws Exception {
        http
                .csrf(c -> {
                    c.csrfTokenRepository(customTokenRepository());
                })
                .authorizeHttpRequests()
                .anyRequest().permitAll();
        return http.build();
    }
  • CustomCsrfTokenRepository:
public class CustomCsrfTokenRepository implements CsrfTokenRepository {
@Override
public CsrfToken generateToken(HttpServletRequest request){
 log.info(1);
{

@Override
public void saveToken(CsrfToken token, HttpServletRequest request, HttpServletResponse response){
 log.info(2);
}

@Override
public CsrfToken loadToken(HttpServletRequest request){
 log.info(3);
}
}

And I created a simple endpoint:

@GetMapping("/hello")
public String getHello() {
 return "Get Hello!";
}

Now, when I get /hello endpoint I expect that code gets to the CustomCsrfTokenRepository#loadToken method (as with spring-boot 2.x), but I receive only the "Get Hello!" response.

I determined the difference between 2.x and 3.x spring boot in that the CsrfTokenRepository imports different HttpServlet... instances: for 2.x from javax.servlet.http... library, for 3.x - from jakatra...

How to correctly repeat this solution in spring-boot 3.x?

Valentyn Hruzytskyi
  • 1,772
  • 5
  • 27
  • 59
  • check this if it helps https://stackoverflow.com/questions/20862299/with-spring-security-3-2-0-release-how-can-i-get-the-csrf-token-in-a-page-that – surendrapanday Apr 16 '23 at 09:42

1 Answers1

1

In Spring Security 6 the CSRF token is only created lazily on demand. Your endpoint doesn't need it, so it isn't created.

Dave Syer
  • 56,583
  • 10
  • 155
  • 143
  • Do you have a reference to the documentation? – Nikolas Charalambidis Apr 21 '23 at 09:18
  • So, how to CSRF token created in SS6? As I know, the CSRF token is created with a GET request, accepted with the response, and used in the following requests. How is this algorithm implemented now? – Valentyn Hruzytskyi Apr 22 '23 at 11:02
  • It's the same as before. But the token is never created if you don't reference it in the GET (e.g. if you render `${_csrf.token}` in a template). – Dave Syer Apr 23 '23 at 12:50
  • User guide is here: https://docs.spring.io/spring-security/reference/index.html (you have to find the relevant section depending on whether you are using servlet or reactive stacks). – Dave Syer Apr 23 '23 at 12:50
  • @DaveSyer Do I need to enable csrf protection for the API layer? If csraf protection already exists on the UI layer, and this layer make requests to the API server - so API server can handle requests without csrf protection. Right? – Valentyn Hruzytskyi May 14 '23 at 16:39
  • @DaveSyer in another case I do not understand how to implement CSRF protection for the API in SS6. If I don't get a token with GET request through API - I will not able to make POST request with csrf token – Valentyn Hruzytskyi May 14 '23 at 17:34