New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CsrfRequestDataValueProcessor uses a different attribute name then the rest of the CSRF parts. #12443
Comments
Hi @mdeinum! Generally, I would agree with the suggestion you're proposing here as a) aligning servlet and reactive is a good goal, and b) making it easier is a great goal!
In general, it would be. However, see below:
The challenge I see here is that the I don't believe the reactive I wonder if it would be beneficial to instead change the Note that we could potentially also align the servlet |
It isn't so much the naming but the additional work needed to get CSRF protection to work in a reactive setup, especially with a combination of controllers and router functions. Basically it works out-of-the-box with a plain Servlet approach whilst additional work (which is easily forgotten) is needed to make it work for the Reactive stack. Basically that is the biggest drawback I see (and that people will run into, it bit me whilst writing the security chapter for my upcoming book and took me too long to figure out why it wasn't working for a router function but was working for an |
Gotcha. Perhaps I wasn't clear in my explanation, but I mention the name
... I believe it would work "out of the box." What do you think? |
@mdeinum do you have thoughts on my comment above? |
I suspect that would make it work yes, as the mismatch seems to come from the naming (and that is why the copying is needed). Which would also mean I would have to rewrite (read delete some stuff) from my book :). (Although that is a good thing in this case as it makes things easier and just work (tm)). |
When working with Spring Webflux and CSRF protection additional steps are needed to expose the CSRF Token to the frontend. The reference guide mentions an
@ControllerAdvice
(which will only work for controllers) if you also haveRouterFunction
materials you need to add an additionalHandlerFilterFunction
so it copies the thing around.When combining different ways of configuring endpoiints, it all adds up with additional cruft to have in place for a proper working of the CSRF tokens. Wouldn't it be easier for the
CsrfRequestDataValueProcessor
to utilize the same nameCsrfToken.class.getName()
to obtain the actualCsrfToken
and expose it as hidden fields?I wonder why the discrepancy with the regular CSRF protection and the additional (complexer) setup. As the servlet variant of the
CsrfRequestDataValueProcessor
does actually use the "proper" attribute name.The text was updated successfully, but these errors were encountered: