首頁 探索 說明
註冊 登入
github
/
spring-security
镜像来自 https://github.com/spring-projects/spring-security
2
0
複刻 0
檔案 問題管理 0 Wiki
目錄樹: 1bb5fe409b
分支列表 標籤列表
spring-security
/
docs
/
modules
/
ROOT
/
pages
/
migration
/
servlet
/
exploits.adoc

exploits.adoc 2.4 KB
文件歷史 原始文件

1234567891011121314151617181920212223242526272829303132333435363738394041424344 
  1. = Exploit Protection Migrations
    2. 

  2. :spring-security-reference-base-url: https://docs.spring.io/spring-security/reference
    3. 

  3. 

  4. The 5.8 migration guide contains several steps for
    5. 

  5. ifdef::spring-security-version[]
    6. 

  6. {spring-security-reference-base-url}/5.8/migration/servlet/exploits.html[exploit protection migrations] when updating to 6.0.
    7. 

  7. endif::[]
    8. 

  8. ifndef::spring-security-version[]
    9. 

  9. exploit protection migrations when updating to 6.0.
    10. 

  10. endif::[]
    11. 

  11. You are encouraged to follow those steps first.
    12. 

  12. 

  13. The following steps relate to how to finish migrating exploit protection support.
    14. 

  14. 

  15. == Defer Loading CsrfToken
    16. 

  16. 

  17. In Spring Security 5.8, the default `CsrfTokenRequestHandler` for making the `CsrfToken` available to the application is `CsrfTokenRequestAttributeHandler`.
    18. 

  18. The default for the field `csrfRequestAttributeName` is `null`, which causes the CSRF token to be loaded on every request.
    19. 

  19. 

  20. In Spring Security 6, `csrfRequestAttributeName` defaults to `_csrf`.
    21. 

  21. If you configured the following only for the purpose of updating to 6.0, you can now remove it:
    22. 

  22. 

  23.     requestHandler.setCsrfRequestAttributeName("_csrf");
    24. 

  24. 

  25. == Protect against CSRF BREACH
    26. 

  26. 

  27. In Spring Security 5.8, the default `CsrfTokenRequestHandler` for making the `CsrfToken` available to the application is `CsrfTokenRequestAttributeHandler`.
    28. 

  28. `XorCsrfTokenRequestAttributeHandler` was added to allow opting into CSRF BREACH support.
    29. 

  29. 

  30. In Spring Security 6, `XorCsrfTokenRequestAttributeHandler` is the default `CsrfTokenRequestHandler` for making the `CsrfToken` available.
    31. 

  31. If you configured the `XorCsrfTokenRequestAttributeHandler` only for the purpose of updating to 6.0, you can remove it completely.
    32. 

  32. 

  33. [NOTE]
    34. 

  34. ====
    35. 

  35. If you have set the `csrfRequestAttributeName` to `null` in order to opt out of deferred tokens, or if you have configured a `CsrfTokenRequestHandler` for any other reason, you can leave the configuration in place.
    36. 

  36. ====
    37. 

  37. 

  38. == CSRF BREACH with WebSocket support
    39. 

  39. 

  40. In Spring Security 5.8, the default `ChannelInterceptor` for making the `CsrfToken` available with xref:servlet/integrations/websocket.adoc[WebSocket Security] is `CsrfChannelInterceptor`.
    41. 

  41. `XorCsrfChannelInterceptor` was added to allow opting into CSRF BREACH support.
    42. 

  42. 

  43. In Spring Security 6, `XorCsrfChannelInterceptor` is the default `ChannelInterceptor` for making the `CsrfToken` available.
    44. 

  44. If you configured the `XorCsrfChannelInterceptor` only for the purpose of updating to 6.0, you can remove it completely.
    45.