Extended csrf cookie customization (#286)

claypigeon123 · web-flow · commit 180c9d6f5648 · 2025-10-26T23:47:16.000+01:00
CSRF token repository customization via post-processor(s)
diff --git a/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/reactive/CookieServerCsrfTokenRepositoryPostProcessor.java b/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/reactive/CookieServerCsrfTokenRepositoryPostProcessor.java
@@ -0,0 +1,11 @@
+package com.c4_soft.springaddons.security.oidc.starter.reactive;
+
+import org.springframework.security.web.server.csrf.CookieServerCsrfTokenRepository;
+
+/**
+ * Customize the reactive csrf token repository configured by spring-addons
+ */
+@FunctionalInterface
+public interface CookieServerCsrfTokenRepositoryPostProcessor {
+  CookieServerCsrfTokenRepository process(CookieServerCsrfTokenRepository repository);
+}
diff --git a/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/reactive/ReactiveConfigurationSupport.java b/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/reactive/ReactiveConfigurationSupport.java
@@ -5,6 +5,7 @@
 import java.nio.charset.Charset;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Optional;
 import java.util.stream.Collectors;
 import org.springframework.boot.autoconfigure.web.ServerProperties;
 import org.springframework.core.io.buffer.DataBufferUtils;
@@ -37,7 +38,8 @@ public class ReactiveConfigurationSupport {
   public static ServerHttpSecurity configureResourceServer(ServerHttpSecurity http,
       ServerProperties serverProperties, SpringAddonsOidcProperties addonsProperties,
       ResourceServerAuthorizeExchangeSpecPostProcessor authorizePostProcessor,
-      ResourceServerReactiveHttpSecurityPostProcessor httpPostProcessor) {
+      ResourceServerReactiveHttpSecurityPostProcessor httpPostProcessor,
+      Optional<CookieServerCsrfTokenRepositoryPostProcessor> csrfPostProcessor) {
 
     http.exceptionHandling(exceptions -> {
       final var issuers = addonsProperties.getOps().stream().map(OpenidProviderProperties::getIss)
@@ -59,7 +61,8 @@ public static ServerHttpSecurity configureResourceServer(ServerHttpSecurity http
     ReactiveConfigurationSupport.configureState(http,
         addonsProperties.getResourceserver().isStatlessSessions(),
         addonsProperties.getResourceserver().getCsrf(), addonsProperties.getResourceserver().getCsrfCookieName(),
-        addonsProperties.getResourceserver().getCsrfCookiePath());
+        addonsProperties.getResourceserver().getCsrfCookiePath(),
+        csrfPostProcessor);
 
     // FIXME: use only the new CORS properties at next major release
     final var corsProps = new ArrayList<>(addonsProperties.getCors());
@@ -83,11 +86,13 @@ public static ServerHttpSecurity configureResourceServer(ServerHttpSecurity http
   public static ServerHttpSecurity configureClient(ServerHttpSecurity http,
       ServerProperties serverProperties, SpringAddonsOidcProperties addonsProperties,
       ClientAuthorizeExchangeSpecPostProcessor authorizePostProcessor,
-      ClientReactiveHttpSecurityPostProcessor httpPostProcessor) {
+      ClientReactiveHttpSecurityPostProcessor httpPostProcessor,
+      Optional<CookieServerCsrfTokenRepositoryPostProcessor> csrfPostProcessor) {
 
     ReactiveConfigurationSupport.configureState(http, false,
         addonsProperties.getClient().getCsrf(),  addonsProperties.getClient().getCsrfCookieName(),
-        addonsProperties.getClient().getCsrfCookiePath());
+        addonsProperties.getClient().getCsrfCookiePath(),
+        csrfPostProcessor);
 
     // FIXME: use only the new CORS properties at next major release
     final var corsProps = new ArrayList<>(addonsProperties.getCors());
@@ -149,7 +154,8 @@ public static CorsWebFilter getCorsFilterBean(List<CorsProperties> corsPropertie
   }
 
   public static ServerHttpSecurity configureState(ServerHttpSecurity http, boolean isStatless,
-      Csrf csrfEnum, String csrfCookieName, String csrfCookiePath) {
+      Csrf csrfEnum, String csrfCookieName, String csrfCookiePath,
+      Optional<CookieServerCsrfTokenRepositoryPostProcessor> csrfPostProcessor) {
 
     if (isStatless) {
       http.securityContextRepository(NoOpServerSecurityContextRepository.getInstance());
@@ -176,7 +182,7 @@ public static ServerHttpSecurity configureState(ServerHttpSecurity http, boolean
           final var repo = CookieServerCsrfTokenRepository.withHttpOnlyFalse();
           repo.setCookiePath(csrfCookiePath);
           repo.setCookieName(csrfCookieName);
-          csrf.csrfTokenRepository(repo)
+          csrf.csrfTokenRepository(csrfPostProcessor.map(pp -> pp.process(repo)).orElse(repo))
               .csrfTokenRequestHandler(new SpaCsrfTokenRequestHandler());
           break;
       }
diff --git a/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/reactive/client/ReactiveSpringAddonsOidcClientWithLoginBeans.java b/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/reactive/client/ReactiveSpringAddonsOidcClientWithLoginBeans.java
@@ -51,6 +51,7 @@
 import com.c4_soft.springaddons.security.oidc.starter.properties.condition.configuration.IsNotServlet;
 import com.c4_soft.springaddons.security.oidc.starter.reactive.ReactiveConfigurationSupport;
 import com.c4_soft.springaddons.security.oidc.starter.reactive.ReactiveSpringAddonsOidcBeans;
+import com.c4_soft.springaddons.security.oidc.starter.reactive.CookieServerCsrfTokenRepositoryPostProcessor;
 import lombok.extern.slf4j.Slf4j;
 import reactor.core.publisher.Mono;
 
@@ -133,6 +134,7 @@ public class ReactiveSpringAddonsOidcClientWithLoginBeans {
    *        applied (default is "isAuthenticated()" to everything that was not matched)
    * @param httpPostProcessor post process the "http" builder just before it is returned (enables to
    *        override anything from the auto-configuration) spring-addons client properties}
+   * @param csrfPostProcessor Optional hook to customize the csrf token repository
    * @param logoutHandler if present, this custom {@link ServerLogoutHandler} is applied.
    * @param oidcBackChannelLogoutHandler if present, Back-Channel Logout is enabled. A default
    *        {@link OidcBackChannelServerLogoutHandler} is provided if
@@ -153,6 +155,7 @@ SecurityWebFilterChain clientFilterChain(ServerHttpSecurity http,
       ServerLogoutSuccessHandler logoutSuccessHandler,
       ClientAuthorizeExchangeSpecPostProcessor authorizePostProcessor,
       ClientReactiveHttpSecurityPostProcessor httpPostProcessor,
+      Optional<CookieServerCsrfTokenRepositoryPostProcessor> csrfPostProcessor,
       Optional<ServerLogoutHandler> logoutHandler, BeanFactory beanFactory) throws Exception {
 
     final var clientRoutes = addonsProperties.getClient().getSecurityMatchers().stream()
@@ -192,7 +195,8 @@ SecurityWebFilterChain clientFilterChain(ServerHttpSecurity http,
           http.oidcLogout(ol -> ol.backChannel(bc -> bc.logoutHandler(handler)));
         }
 
-        ReactiveConfigurationSupport.configureClient(http, serverProperties, addonsProperties, authorizePostProcessor, httpPostProcessor);
+        ReactiveConfigurationSupport.configureClient(http, serverProperties, addonsProperties,
+            authorizePostProcessor, httpPostProcessor, csrfPostProcessor);
 
         return http.build();
     }
diff --git a/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/reactive/resourceserver/ReactiveSpringAddonsOidcResourceServerBeans.java b/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/reactive/resourceserver/ReactiveSpringAddonsOidcResourceServerBeans.java
@@ -1,11 +1,7 @@
 package com.c4_soft.springaddons.security.oidc.starter.reactive.resourceserver;
 
 import java.time.Instant;
-import java.util.ArrayList;
-import java.util.Collection;
-import java.util.Date;
-import java.util.Map;
-
+import java.util.*;
 import org.springframework.boot.autoconfigure.AutoConfiguration;
 import org.springframework.boot.autoconfigure.ImportAutoConfiguration;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
@@ -52,6 +48,7 @@
 import com.c4_soft.springaddons.security.oidc.starter.properties.condition.configuration.IsOidcResourceServerCondition;
 import com.c4_soft.springaddons.security.oidc.starter.reactive.ReactiveConfigurationSupport;
 import com.c4_soft.springaddons.security.oidc.starter.reactive.ReactiveSpringAddonsOidcBeans;
+import com.c4_soft.springaddons.security.oidc.starter.reactive.CookieServerCsrfTokenRepositoryPostProcessor;
 
 import reactor.core.publisher.Mono;
 
@@ -103,6 +100,7 @@ public class ReactiveSpringAddonsOidcResourceServerBeans {
 	 * @param  authorizePostProcessor        Hook to override access-control rules for all path that are not listed in "permit-all"
 	 * @param  httpPostProcessor             Hook to override all or part of HttpSecurity auto-configuration
 	 * @param  authenticationManagerResolver Converts successful JWT decoding result into an {@link Authentication}
+	 * @param  csrfPostProcessor             Optional hook to customize the csrf token repository
 	 * @return                               A default {@link SecurityWebFilterChain} for reactive resource-servers with JWT decoder(matches all
 	 *                                       unmatched routes with lowest precedence)
 	 */
@@ -115,12 +113,14 @@ SecurityWebFilterChain springAddonsJwtResourceServerSecurityFilterChain(
 			SpringAddonsOidcProperties addonsProperties,
 			ResourceServerAuthorizeExchangeSpecPostProcessor authorizePostProcessor,
 			ResourceServerReactiveHttpSecurityPostProcessor httpPostProcessor,
-			ReactiveAuthenticationManagerResolver<ServerWebExchange> authenticationManagerResolver) {
+			ReactiveAuthenticationManagerResolver<ServerWebExchange> authenticationManagerResolver,
+			Optional<CookieServerCsrfTokenRepositoryPostProcessor> csrfPostProcessor) {
 		http.oauth2ResourceServer(server -> {
 			server.authenticationManagerResolver(authenticationManagerResolver);
 		});
 
-		ReactiveConfigurationSupport.configureResourceServer(http, serverProperties, addonsProperties, authorizePostProcessor, httpPostProcessor);
+		ReactiveConfigurationSupport.configureResourceServer(http, serverProperties, addonsProperties,
+			authorizePostProcessor, httpPostProcessor, csrfPostProcessor);
 
 		return http.build();
 	}
@@ -142,6 +142,7 @@ SecurityWebFilterChain springAddonsJwtResourceServerSecurityFilterChain(
 	 * @param  authorizePostProcessor               Hook to override access-control rules for all path that are not listed in "permit-all"
 	 * @param  httpPostProcessor                    Hook to override all or part of HttpSecurity auto-configuration
 	 * @param  introspectionAuthenticationConverter Converts successful introspection result into an {@link Authentication}
+	 * @param  csrfPostProcessor                    Optional hook to customize the csrf token repository
 	 * @return                                      A default {@link SecurityWebFilterChain} for reactive resource-servers with access-token
 	 *                                              introspection (matches all unmatched routes with lowest precedence)
 	 */
@@ -155,13 +156,15 @@ SecurityWebFilterChain springAddonsIntrospectingResourceServerSecurityFilterChai
 			ResourceServerAuthorizeExchangeSpecPostProcessor authorizePostProcessor,
 			ResourceServerReactiveHttpSecurityPostProcessor httpPostProcessor,
 			ReactiveOpaqueTokenAuthenticationConverter introspectionAuthenticationConverter,
-			ReactiveOpaqueTokenIntrospector opaqueTokenIntrospector) {
+			ReactiveOpaqueTokenIntrospector opaqueTokenIntrospector,
+			Optional<CookieServerCsrfTokenRepositoryPostProcessor> csrfPostProcessor) {
 		http.oauth2ResourceServer(server -> server.opaqueToken(ot -> {
 			ot.introspector(opaqueTokenIntrospector);
 			ot.authenticationConverter(introspectionAuthenticationConverter);
 		}));
 
-		ReactiveConfigurationSupport.configureResourceServer(http, serverProperties, addonsProperties, authorizePostProcessor, httpPostProcessor);
+		ReactiveConfigurationSupport.configureResourceServer(http, serverProperties, addonsProperties,
+			authorizePostProcessor, httpPostProcessor, csrfPostProcessor);
 
 		return http.build();
 	}
diff --git a/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/synchronised/CookieCsrfTokenRepositoryPostProcessor.java b/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/synchronised/CookieCsrfTokenRepositoryPostProcessor.java
@@ -0,0 +1,11 @@
+package com.c4_soft.springaddons.security.oidc.starter.synchronised;
+
+import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
+
+/**
+ * Customize the servlet csrf token repository configured by spring-addons
+ */
+@FunctionalInterface
+public interface CookieCsrfTokenRepositoryPostProcessor {
+  CookieCsrfTokenRepository process(CookieCsrfTokenRepository repository);
+}
diff --git a/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/synchronised/ServletConfigurationSupport.java b/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/synchronised/ServletConfigurationSupport.java
@@ -4,6 +4,7 @@
 import java.net.URI;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Optional;
 import java.util.function.Supplier;
 import java.util.stream.Collectors;
 import org.springframework.boot.autoconfigure.web.ServerProperties;
@@ -37,7 +38,8 @@ public class ServletConfigurationSupport {
   public static HttpSecurity configureResourceServer(HttpSecurity http,
       ServerProperties serverProperties, SpringAddonsOidcProperties addonsProperties,
       ResourceServerExpressionInterceptUrlRegistryPostProcessor authorizePostProcessor,
-      ResourceServerSynchronizedHttpSecurityPostProcessor httpPostProcessor) throws Exception {
+      ResourceServerSynchronizedHttpSecurityPostProcessor httpPostProcessor,
+      Optional<CookieCsrfTokenRepositoryPostProcessor> csrfPostProcessor) throws Exception {
 
     http.exceptionHandling(exceptions -> {
       final var issuers = addonsProperties.getOps().stream().map(OpenidProviderProperties::getIss)
@@ -54,7 +56,8 @@ public static HttpSecurity configureResourceServer(HttpSecurity http,
         addonsProperties.getResourceserver().isStatlessSessions(),
         addonsProperties.getResourceserver().getCsrf(),
         addonsProperties.getResourceserver().getCsrfCookieName(),
-        addonsProperties.getResourceserver().getCsrfCookiePath());
+        addonsProperties.getResourceserver().getCsrfCookiePath(),
+        csrfPostProcessor);
 
     // FIXME: use only the new CORS properties at next major release
     final var corsProps = new ArrayList<>(addonsProperties.getCors());
@@ -75,11 +78,13 @@ public static HttpSecurity configureResourceServer(HttpSecurity http,
   public static HttpSecurity configureClient(HttpSecurity http, ServerProperties serverProperties,
       SpringAddonsOidcProperties addonsProperties,
       ClientExpressionInterceptUrlRegistryPostProcessor authorizePostProcessor,
-      ClientSynchronizedHttpSecurityPostProcessor httpPostProcessor) throws Exception {
+      ClientSynchronizedHttpSecurityPostProcessor httpPostProcessor,
+      Optional<CookieCsrfTokenRepositoryPostProcessor> csrfPostProcessor) throws Exception {
 
     ServletConfigurationSupport.configureState(http, false, addonsProperties.getClient().getCsrf(),
     addonsProperties.getClient().getCsrfCookieName(),
-    addonsProperties.getClient().getCsrfCookiePath());
+    addonsProperties.getClient().getCsrfCookiePath(),
+    csrfPostProcessor);
 
     // FIXME: use only the new CORS properties at next major release
     final var corsProps = new ArrayList<>(addonsProperties.getCors());
@@ -141,7 +146,7 @@ public static CorsFilter getCorsFilterBean(List<CorsProperties> corsProperties)
   }
 
   public static HttpSecurity configureState(HttpSecurity http, boolean isStatless, Csrf csrfEnum, String csrfCookieName,
-      String csrfCookiePath)
+      String csrfCookiePath, Optional<CookieCsrfTokenRepositoryPostProcessor> csrfPostProcessor)
       throws Exception {
 
     if (isStatless) {
@@ -165,7 +170,7 @@ public static HttpSecurity configureState(HttpSecurity http, boolean isStatless,
           final var repo = CookieCsrfTokenRepository.withHttpOnlyFalse();
           repo.setCookiePath(csrfCookiePath);
           repo.setCookieName(csrfCookieName);
-          configurer.csrfTokenRepository(repo)
+          configurer.csrfTokenRepository(csrfPostProcessor.map(pp -> pp.process(repo)).orElse(repo))
               .csrfTokenRequestHandler(new SpaCsrfTokenRequestHandler());
           break;
       }
diff --git a/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/synchronised/client/SpringAddonsOidcClientWithLoginBeans.java b/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/synchronised/client/SpringAddonsOidcClientWithLoginBeans.java
@@ -50,6 +50,7 @@
 import com.c4_soft.springaddons.security.oidc.starter.properties.condition.configuration.IsClientWithLoginCondition;
 import com.c4_soft.springaddons.security.oidc.starter.synchronised.ServletConfigurationSupport;
 import com.c4_soft.springaddons.security.oidc.starter.synchronised.SpringAddonsOidcBeans;
+import com.c4_soft.springaddons.security.oidc.starter.synchronised.CookieCsrfTokenRepositoryPostProcessor;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import lombok.extern.slf4j.Slf4j;
@@ -140,6 +141,7 @@ public class SpringAddonsOidcClientWithLoginBeans {
    *        applied (default is "isAuthenticated()" to everything that was not matched)
    * @param httpPostProcessor post process the "http" builder just before it is returned (enables to
    *        override anything from the auto-configuration) spring-addons client properties}
+   * @param csrfPostProcessor Optional hook to customize the csrf token repository
    * @return a security filter-chain scoped to specified security-matchers and adapted to OAuth2
    *         clients
    * @throws Exception in case of miss-configuration
@@ -156,6 +158,7 @@ SecurityFilterChain springAddonsClientFilterChain(HttpSecurity http,
       InvalidSessionStrategy invalidSessionStrategy, LogoutSuccessHandler logoutSuccessHandler,
       SpringAddonsOidcProperties addonsProperties,
       ClientExpressionInterceptUrlRegistryPostProcessor authorizePostProcessor,
+      Optional<CookieCsrfTokenRepositoryPostProcessor> csrfPostProcessor,
       ClientSynchronizedHttpSecurityPostProcessor httpPostProcessor, BeanFactory beanFactory)
       throws Exception {
     // @formatter:off
@@ -194,7 +197,7 @@ SecurityFilterChain springAddonsClientFilterChain(HttpSecurity http,
     }
 
     ServletConfigurationSupport.configureClient(http, serverProperties, addonsProperties,
-        authorizePostProcessor, httpPostProcessor);
+        authorizePostProcessor, httpPostProcessor, csrfPostProcessor);
 
     return http.build();
   }
diff --git a/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/synchronised/resourceserver/SpringAddonsOidcResourceServerBeans.java b/spring-addons-starter-oidc/src/main/java/com/c4_soft/springaddons/security/oidc/starter/synchronised/resourceserver/SpringAddonsOidcResourceServerBeans.java
