Etusivu Tutki Apua
Rekisteröidy Kirjaudu sisään
github
/
spring-security
peilaus alkaen https://github.com/spring-projects/spring-security
2
0
Fork 0
Tiedostot Ongelmat 0 Wiki
Puu: 52888d6206
Haarat Tagit
spring-security
/
docs
/
modules
/
ROOT
/
pages
/
migration
/
servlet
/
exploits.adoc

exploits.adoc 4.3 KB
Historia Raaka

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168 
  1. = Exploit Protection Migrations
    2. 

  2. 

  3. The following steps relate to changes around how to configure CSRF.
    4. 

  4. 

  5. == Defer Loading CsrfToken
    6. 

  6. 

  7. In Spring Security 5, the default behavior is that the `CsrfToken` will be loaded on every request.
    8. 

  8. This means that in a typical setup, the `HttpSession` must be read for every request even if it is unnecessary.
    9. 

  9. 

  10. In Spring Security 6, the default is that the lookup of the `CsrfToken` will be deferred until it is needed.
    11. 

  11. 

  12. To opt into the new Spring Security 6 default, the following configuration can be used.
    13. 

  13. 

  14. .Defer Loading `CsrfToken`
    15. 

  15. ====
    16. 

  16. .Java
    17. 

  17. [source,java,role="primary"]
    18. 

  18. ----
    19. 

  19. @Bean
    20. 

  20. DefaultSecurityFilterChain springSecurity(HttpSecurity http) throws Exception {
    21. 

  21. 	CsrfTokenRequestAttributeHandler requestHandler = new CsrfTokenRequestAttributeHandler();
    22. 

  22. 	// set the name of the attribute the CsrfToken will be populated on
    23. 

  23. 	requestHandler.setCsrfRequestAttributeName("_csrf");
    24. 

  24. 	http
    25. 

  25. 		// ...
    26. 

  26. 		.csrf((csrf) -> csrf
    27. 

  27. 			.csrfTokenRequestHandler(requestHandler)
    28. 

  28. 		);
    29. 

  29. 	return http.build();
    30. 

  30. }
    31. 

  31. ----
    32. 

  32. 

  33. .Kotlin
    34. 

  34. [source,kotlin,role="secondary"]
    35. 

  35. ----
    36. 

  36. @Bean
    37. 

  37. open fun springSecurity(http: HttpSecurity): SecurityFilterChain {
    38. 

  38. 	val requestHandler = CsrfTokenRequestAttributeHandler()
    39. 

  39. 	// set the name of the attribute the CsrfToken will be populated on
    40. 

  40. 	requestHandler.setCsrfRequestAttributeName("_csrf")
    41. 

  41. 	http {
    42. 

  42. 		csrf {
    43. 

  43. 			csrfTokenRequestHandler = requestHandler
    44. 

  44. 		}
    45. 

  45. 	}
    46. 

  46. 	return http.build()
    47. 

  47. }
    48. 

  48. ----
    49. 

  49. 

  50. .XML
    51. 

  51. [source,xml,role="secondary"]
    52. 

  52. ----
    53. 

  53. <http>
    54. 

  54. 	<!-- ... -->
    55. 

  55. 	<csrf request-handler-ref="requestHandler"/>
    56. 

  56. </http>
    57. 

  57. <b:bean id="requestHandler"
    58. 

  58. 	class="org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler"
    59. 

  59. 	p:csrfRequestAttributeName="_csrf"/>
    60. 

  60. ----
    61. 

  61. ====
    62. 

  62. 

  63. If this breaks your application, then you can explicitly opt into the 5.8 defaults using the following configuration:
    64. 

  64. 

  65. .Explicit Configure `CsrfToken` with 5.8 Defaults
    66. 

  66. ====
    67. 

  67. .Java
    68. 

  68. [source,java,role="primary"]
    69. 

  69. ----
    70. 

  70. @Bean
    71. 

  71. DefaultSecurityFilterChain springSecurity(HttpSecurity http) throws Exception {
    72. 

  72. 	CsrfTokenRequestAttributeHandler requestHandler = new CsrfTokenRequestAttributeHandler();
    73. 

  73. 	// set the name of the attribute the CsrfToken will be populated on
    74. 

  74. 	requestHandler.setCsrfRequestAttributeName(null);
    75. 

  75. 	http
    76. 

  76. 		// ...
    77. 

  77. 		.csrf((csrf) -> csrf
    78. 

  78. 			.csrfTokenRequestHandler(requestHandler)
    79. 

  79. 		);
    80. 

  80. 	return http.build();
    81. 

  81. }
    82. 

  82. ----
    83. 

  83. 

  84. .Kotlin
    85. 

  85. [source,kotlin,role="secondary"]
    86. 

  86. ----
    87. 

  87. @Bean
    88. 

  88. open fun springSecurity(http: HttpSecurity): SecurityFilterChain {
    89. 

  89. 	val requestHandler = CsrfTokenRequestAttributeHandler()
    90. 

  90. 	// set the name of the attribute the CsrfToken will be populated on
    91. 

  91. 	requestHandler.setCsrfRequestAttributeName(null)
    92. 

  92. 	http {
    93. 

  93. 		csrf {
    94. 

  94. 			csrfTokenRequestHandler = requestHandler
    95. 

  95. 		}
    96. 

  96. 	}
    97. 

  97. 	return http.build()
    98. 

  98. }
    99. 

  99. ----
    100. 

  100. 

  101. .XML
    102. 

  102. [source,xml,role="secondary"]
    103. 

  103. ----
    104. 

  104. <http>
    105. 

  105. 	<!-- ... -->
    106. 

  106. 	<csrf request-handler-ref="requestHandler"/>
    107. 

  107. </http>
    108. 

  108. <b:bean id="requestHandler"
    109. 

  109. 	class="org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler">
    110. 

  110. 	<b:property name="csrfRequestAttributeName">
    111. 

  111. 		<b:null/>
    112. 

  112. 	</b:property>
    113. 

  113. </b:bean>
    114. 

  114. ----
    115. 

  115. ====
    116. 

  116. 

  117. == Protect against CSRF BREACH
    118. 

  118. 

  119. If the steps for <<Defer Loading CsrfToken>> work for you, then you can also opt into Spring Security 6's default support for BREACH protection of the `CsrfToken` using the following configuration:
    120. 

  120. 

  121. .`CsrfToken` BREACH Protection
    122. 

  122. ====
    123. 

  123. .Java
    124. 

  124. [source,java,role="primary"]
    125. 

  125. ----
    126. 

  126. @Bean
    127. 

  127. DefaultSecurityFilterChain springSecurity(HttpSecurity http) throws Exception {
    128. 

  128. 	XorCsrfTokenRequestAttributeHandler requestHandler = new XorCsrfTokenRequestAttributeHandler();
    129. 

  129. 	// set the name of the attribute the CsrfToken will be populated on
    130. 

  130. 	requestHandler.setCsrfRequestAttributeName("_csrf");
    131. 

  131. 	http
    132. 

  132. 		// ...
    133. 

  133. 		.csrf((csrf) -> csrf
    134. 

  134. 			.csrfTokenRequestHandler(requestHandler)
    135. 

  135. 		);
    136. 

  136. 	return http.build();
    137. 

  137. }
    138. 

  138. ----
    139. 

  139. 

  140. .Kotlin
    141. 

  141. [source,kotlin,role="secondary"]
    142. 

  142. ----
    143. 

  143. @Bean
    144. 

  144. open fun springSecurity(http: HttpSecurity): SecurityFilterChain {
    145. 

  145. 	val requestHandler = XorCsrfTokenRequestAttributeHandler()
    146. 

  146. 	// set the name of the attribute the CsrfToken will be populated on
    147. 

  147. 	requestHandler.setCsrfRequestAttributeName("_csrf")
    148. 

  148. 	http {
    149. 

  149. 		csrf {
    150. 

  150. 			csrfTokenRequestHandler = requestHandler
    151. 

  151. 		}
    152. 

  152. 	}
    153. 

  153. 	return http.build()
    154. 

  154. }
    155. 

  155. ----
    156. 

  156. 

  157. .XML
    158. 

  158. [source,xml,role="secondary"]
    159. 

  159. ----
    160. 

  160. <http>
    161. 

  161. 	<!-- ... -->
    162. 

  162. 	<csrf request-handler-ref="requestHandler"/>
    163. 

  163. </http>
    164. 

  164. <b:bean id="requestHandler"
    165. 

  165. 	class="org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler"
    166. 

  166. 	p:csrfRequestAttributeName="_csrf"/>
    167. 

  167. ----
    168. 

  168. ====
    169.