Skip to content

gh-18332 Add spa() configuration method #18338

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ngocnhan-tran1996 wants to merge 1 commit into
base: main
Choose a base branch
from
+51 −0
Open

gh-18332 Add spa() configuration method #18338

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions config/src/main/kotlin/org/springframework/security/config/annotation/web/CsrfDsl.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@ class CsrfDsl {
private var ignoringRequestMatchers: Array<out RequestMatcher>? = null
private var ignoringRequestMatchersPatterns: Array<out String>? = null
private var disabled = false
private var spaMode = false

/**
* Allows specifying [HttpServletRequest]s that should not use CSRF Protection
Expand Down Expand Up @@ -76,6 +77,17 @@ class CsrfDsl {
disabled = true
}

/**
* Sensible CSRF defaults when used in combination with a single page application.
* Creates a cookie-based token repository and a custom request handler to resolve the
* actual token value instead of the encoded token.
*
* @since 7.1
*/
fun spa() {
spaMode = true
}

internal fun get(): (CsrfConfigurer<HttpSecurity>) -> Unit {
return { csrf ->
csrfTokenRepository?.also { csrf.csrfTokenRepository(csrfTokenRepository) }
Expand All @@ -84,6 +96,9 @@ class CsrfDsl {
csrfTokenRequestHandler?.also { csrf.csrfTokenRequestHandler(csrfTokenRequestHandler) }
ignoringRequestMatchers?.also { csrf.ignoringRequestMatchers(*ignoringRequestMatchers!!) }
ignoringRequestMatchersPatterns?.also { csrf.ignoringRequestMatchers(*ignoringRequestMatchersPatterns!!) }
if (spaMode) {
csrf.spa()
}
if (disabled) {
csrf.disable()
}
Expand Down
36 changes: 36 additions & 0 deletions config/src/test/kotlin/org/springframework/security/config/annotation/web/CsrfDslTests.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -343,4 +343,40 @@ class CsrfDslTests {
return http.build()
}
}

@Test
fun `POST when CSRF for SPA enabled and no CSRF token then forbidden`() {
this.spring.register(CsrfSPAConfig::class.java).autowire()

this.mockMvc.post("/test1")
.andExpect {
status { isForbidden() }
}
}

@Test
fun `POST when CSRF for SPA enabled and CSRF token then status OK`() {
this.spring.register(CsrfSPAConfig::class.java, BasicController::class.java).autowire()

this.mockMvc.post("/test1") {
with(csrf())
}.andExpect {
status { isOk() }
}

}

@Configuration
@EnableWebSecurity
open class CsrfSPAConfig {
@Bean
open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
http {
csrf {
spa()
}
}
return http.build()
}
}
}
Loading