Add reactive CSRF samples to docs

Issue gh-8172

docs/manual/src/docs/asciidoc/_includes/reactive/exploits/csrf.adoc

@@ -34,9 +34,10 @@ These defaults come from https://docs.angularjs.org/api/ng/service/$http#cross-s
 
 You can configure `CookieCsrfTokenRepository` in Java Configuration using:
 
-.Store CSRF Token in a Cookie with Java Configuration
+.Store CSRF Token in a Cookie
 ====
-[source,java]
+.Java
+[source,java,role="primary"]
 -----
 @Bean
 public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@@ -46,6 +47,20 @@ public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http)
 	return http.build();
 }
 -----
+
+.Kotlin
+[source,kotlin,role="secondary"]
+-----
+@Bean
+fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
+    return http {
+        // ...
+        csrf {
+            csrfTokenRepository = CookieServerCsrfTokenRepository.withHttpOnlyFalse()
+        }
+    }
+}
+-----
 ====
 
 [NOTE]
@@ -62,9 +77,10 @@ However, it is simple to disable CSRF protection if it <<csrf-when,makes sense f
 
 The Java configuration below will disable CSRF protection.
 
-.Disable CSRF Java Configuration
+.Disable CSRF Configuration
 ====
-[source,java]
+.Java
+[source,java,role="primary"]
 ----
 @Bean
 public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@@ -74,6 +90,20 @@ public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http)
 	return http.build();
 }
 ----
+
+.Kotlin
+[source,kotlin,role="secondary"]
+-----
+@Bean
+fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
+    return http {
+        // ...
+        csrf {
+            disable()
+        }
+    }
+}
+-----
 ====
 
 [[webflux-csrf-include]]
@@ -91,7 +121,8 @@ For example, the following code will place the `CsrfToken` on the default attrib
 
 .`CsrfToken` as `@ModelAttribute`
 ====
-[source,java]
+.Java
+[source,java,role="primary"]
 ----
 @ControllerAdvice
 public class SecurityControllerAdvice {
@@ -103,6 +134,21 @@ public class SecurityControllerAdvice {
 	}
 }
 ----
+
+.Kotlin
+[source,kotlin,role="secondary"]
+----
+@ControllerAdvice
+class SecurityControllerAdvice {
+    @ModelAttribute
+    fun csrfToken(exchange: ServerWebExchange): Mono<CsrfToken> {
+        val csrfToken: Mono<CsrfToken>? = exchange.getAttribute(CsrfToken::class.java.name)
+        return csrfToken!!.doOnSuccess { token ->
+            exchange.attributes[CsrfRequestDataValueProcessor.DEFAULT_CSRF_ATTR_NAME] = token
+        }
+    }
+}
+----
 ====
 
 Fortunately, Thymeleaf provides <<webflux-csrf-include-form-auto,integration>> that works without any additional work.
@@ -253,7 +299,8 @@ For example, the following Java Configuration will perform logout with the URL `
 
 .Log out with HTTP GET
 ====
-[source,java]
+.Java
+[source,java,role="primary"]
 ----
 @Bean
 public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@@ -262,7 +309,20 @@ public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http)
 		.logout(logout -> logout.requiresLogout(new PathPatternParserServerWebExchangeMatcher("/logout")))
 	return http.build();
 }
+----
 
+.Kotlin
+[source,kotlin,role="secondary"]
+----
+@Bean
+fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
+    return http {
+        // ...
+        logout {
+            requiresLogout = PathPatternParserServerWebExchangeMatcher("/logout")
+        }
+    }
+}
 ----
 ====
 
@@ -301,7 +361,8 @@ In a WebFlux application, this can be configured with the following configuratio
 
 .Enable obtaining CSRF token from multipart/form-data
 ====
-[source,java]
+.Java
+[source,java,role="primary"]
 ----
 @Bean
 public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
@@ -310,7 +371,20 @@ public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http)
 		.csrf(csrf -> csrf.tokenFromMultipartDataEnabled(true))
 	return http.build();
 }
+----
 
+.Kotlin
+[source,kotlin,role="secondary"]
+----
+@Bean
+fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
+    return http {
+		// ...
+        csrf {
+            tokenFromMultipartDataEnabled = true
+        }
+    }
+}
 ----
 ====