Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Form POST hangs when CSRF Protection is enabled #8026

Closed
SmithJosh opened this issue Feb 26, 2020 · 6 comments
Closed

Form POST hangs when CSRF Protection is enabled #8026

SmithJosh opened this issue Feb 26, 2020 · 6 comments
Assignees
@rwinch
Labels
for: external-project For an external project and not something we can fix

Comments

@SmithJosh
Copy link

SmithJosh commented Feb 26, 2020
edited

Summary

I have a Spring Cloud Gateway application which uses Spring Security to provide CSRF protection. The gateway has a single webpage which sends POST requests to some service behind the gateway. When CSRF is disabled, everything works, both form and AJAX POST requests. But when CSRF is enabled, form POSTs hang and eventually time out.

This is somehow related to Spring Cloud Gateway, as the issue doesn't arise without it.

See the sample for steps to reproduce.

Actual Behavior

  • AJAX POST is received by service
  • Form POST hangs

Expected Behavior

  • AJAX POST is received by service
  • Form POST is received by service

Configuration

See sample

Version

5.2.1.RELEASE

Sample

https://github.com/SmithJosh/spring-security-8026
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Feb 26, 2020
@rwinch
Copy link
Member

rwinch commented Feb 26, 2020
edited

Thanks for the report and the excellent sample. The problem seems to happen because Spring Security's CsrfWebFilter reads ServerWebExchange.getFormData() before gateway is invoked.

The problem is more general in that if any WebFilter reads the form data the problem occurs. For example, the following WebFilter will cause the issue without Spring Security on the classpath:

import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;

@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class ReadFormWebFilter implements WebFilter {
	@Override
	public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
		return exchange.getFormData()
			.flatMap(d -> Mono.justOrEmpty(d.getFirst("foo")))
			.then(chain.filter(exchange));
	}
}

I've included a complete example in a branch named nosecurity of my fork of your sample that demonstrates the issue is reproducible without Spring Security. I'd suggest you create a ticket in Spring Cloud Gateway.

@rwinch rwinch closed this as completed Feb 26, 2020
@rwinch rwinch removed the status: waiting-for-triage An issue we've not yet triaged label Feb 26, 2020
@rwinch rwinch self-assigned this Feb 26, 2020
@rwinch rwinch added the for: external-project For an external project and not something we can fix label Feb 26, 2020
@SmithJosh
Copy link
Author

Thanks for the help @rwinch!

@rwinch
Copy link
Member

rwinch commented Feb 27, 2020

@SmithJosh If you create another issue, can you please link it to here for others to find?

@SmithJosh
Copy link
Author

Sure, here's a link to the gateway issue: spring-cloud/spring-cloud-gateway#1587

@eleftherias eleftherias mentioned this issue Apr 16, 2021
Closed
@tianshuang
Copy link

Is this problem solved now?

@rwinch
Copy link
Member

rwinch commented Jun 28, 2022

This was not a bug in Spring Security. Please refer to the Spring Cloud issue for updates

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
for: external-project For an external project and not something we can fix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rwinch @SmithJosh @tianshuang @spring-projects-issues