Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default to Xor CSRF protection #11960

Closed
sjohnr opened this issue Oct 5, 2022 · 0 comments
Closed

Default to Xor CSRF protection #11960

sjohnr opened this issue Oct 5, 2022 · 0 comments
Assignees
@sjohnr
Labels
in: web An issue in web modules (web, webmvc) type: breaks-passivity A change that breaks passivity with the previous release
Milestone
6.0.0-RC1

Comments

@sjohnr
Copy link
Member

sjohnr commented Oct 5, 2022
edited
Loading

We should default to Xor CSRF tokens in 6.0:

  • Use XorCsrfTokenRequestAttributeHandler in CsrfFilter
  • Use XorServerCsrfTokenRequestAttributeHandler in CsrfWebFilter

Related gh-4001
@sjohnr sjohnr self-assigned this Oct 5, 2022
@sjohnr sjohnr added this to the 6.0.0-RC1 milestone Oct 5, 2022
sjohnr added a commit that referenced this issue Oct 13, 2022
@sjohnr
Default to Xor CSRF tokens in CsrfFilter
2a2051c 
Issue gh-11960
@sjohnr sjohnr closed this as completed in 2407d07 Oct 13, 2022
@sjohnr sjohnr added in: web An issue in web modules (web, webmvc) type: breaks-passivity A change that breaks passivity with the previous release labels Oct 13, 2022
@JohnNiang JohnNiang mentioned this issue Oct 24, 2022
Merged
f2c-ci-robot bot pushed a commit to halo-dev/halo that referenced this issue Oct 25, 2022
@JohnNiang
Bump Spring Boot to 3.0.0-RC1 (#2620)
d2aa707 
#### What type of PR is this?

/kind improvement
/area core
/milestone 2.0

#### What this PR does / why we need it:

- See https://github.com/spring-projects/spring-boot/releases/tag/v3.0.0-RC1 for more.
- Due to [Default to Xor CSRF protection](spring-projects/spring-security#11960), we have to implement a XOR algorithm in console project to generate a XORed token. Please be aware of source code of Spring Security at [here](https://github.com/spring-projects/spring-security/blob/9cb668aec2ad14f91c122c66b7d7d4a8b6e133f7/web/src/main/java/org/springframework/security/web/server/csrf/XorServerCsrfTokenRequestAttributeHandler.java#L94-L115), @halo-dev/sig-halo-console 

#### Special notes for reviewers

We have removed `ThemeJava8TimeDialect` due to removal of `thymeleaf-extras-java8time` module in thymeleaf/thymeleaf#912

#### Does this PR introduce a user-facing change?

```release-note
None
```
@Artur- Artur- mentioned this issue Oct 26, 2022
Closed
@sjohnr sjohnr mentioned this issue Nov 17, 2022
Closed
sjohnr added a commit that referenced this issue Nov 19, 2022
@sjohnr
Default to XorCsrfTokenRequestAttributeHandler
fd54732 
As of gh-11960, Xor CSRF tokens are the default in 6.0. This commit
makes CsrfAuthenticationStrategy consistent with CsrfFilter.

Issue gh-11960
Closes gh-12235
@mdadoua mdadoua mentioned this issue Feb 9, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sjohnr sjohnr

Labels
in: web An issue in web modules (web, webmvc) type: breaks-passivity A change that breaks passivity with the previous release
Projects
Spring Security Team
Archived in project
Milestone
6.0.0-RC1
Development

No branches or pull requests
1 participant
@sjohnr