Disable CSRF for Servlet apps by default

Author: Dave Syer

samples/grpc-tomcat-secure/src/main/java/org/springframework/grpc/sample/GrpcServerApplication.java

@@ -2,11 +2,6 @@
 
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
-import org.springframework.context.annotation.Bean;
-import org.springframework.grpc.autoconfigure.server.security.GrpcServletRequest;
-import org.springframework.security.config.Customizer;
-import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.web.SecurityFilterChain;
 
 @SpringBootApplication
 public class GrpcServerApplication {
@@ -15,12 +10,4 @@ public static void main(String[] args) {
 		SpringApplication.run(GrpcServerApplication.class, args);
 	}
 
-	@Bean
-	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-		return http.httpBasic(Customizer.withDefaults())
-			.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated())
-			.csrf(csrf -> csrf.ignoringRequestMatchers(GrpcServletRequest.all()))
-			.build();
-	}
-
 }

spring-grpc-docs/src/main/antora/modules/ROOT/pages/server.adoc

@@ -199,7 +199,7 @@ Spring gRPC handles this for the default configuration.
 
 Spring gRPC will automatically configure the gRPC server interceptors, and https://docs.spring.io/spring-boot/reference/web/spring-security.html[Spring Boot will provide defaults] for an `AuthenticationManager` and a `UserDetailsService`.
 Spring Boot will also provide default configuration for an OAuth2 resource server, if you set the classpath up correctly (following the https://docs.spring.io/spring-boot/reference/web/spring-security.html#web.security.oauth2.server[Spring Boot documentation]) which will be used to validate the token.
-You will want to provide your own `SecurityFilterChain` because the one provided by Spring Boot will enable CSRF protection for all endpoints, which is not compatible with gRPC.
+You may still want to provide your own `SecurityFilterChain`, but you can use the defaults just to get started.
 Here's an example with HTTP Basic authentication:
 
 [source,java]
@@ -208,22 +208,10 @@ Here's an example with HTTP Basic authentication:
 public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
 	return http.httpBasic(Customizer.withDefaults())
 		.authorizeHttpRequests((requests) -> requests.anyRequest().authenticated())
-		.csrf(csrf -> csrf.disable())
 		.build();
 }
 ----
 
-Disabling CSRF is fine if you have no other HTTP endpoints, but if you do you will need to be careful to disable CSRF protection for gRPC requests.
-To help you do that you can use a `GrpcServletRequest` to check if the request is a gRPC request and disable CSRF protection for it.
-Example:
-
-[source,java]
-----
-@Bean
-public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
-	return http
-		... // configure endpoint paths and authentication patterns
-		.csrf(csrf -> csrf.ignoringRequestMatchers(GrpcServletRequest.all()))
-		.build();
-}
-----
+By default CSRF protection is automatically disabled for gRPC requests because it is incompatible with the protocol.
+You can switch off that behaviour and configure your own CSRF protection if you want to by explicitly setting `spring.grpc.security.csrf.enabled=true`.
+A servlet application that exposes gRPC endpoints on a different port (with `spring.grpc.server.servlet.enabled=false`) will also not have CSRF protection disabled by default.

spring-grpc-docs/src/main/antora/modules/ROOT/partials/_configprops.adoc

@@ -2,48 +2,48 @@
 |Name | Default | Description
 
 |spring.grpc.client.channels |  | Map of channels configured by name.
-|spring.grpc.client.default-channel.address | `+++static://localhost:9090+++` | The target address uri to connect to.
-|spring.grpc.client.default-channel.default-load-balancing-policy | `+++round_robin+++` | The default load balancing policy the channel should use.
-|spring.grpc.client.default-channel.enable-keep-alive | `+++false+++` | Whether keep alive is enabled on the channel.
-|spring.grpc.client.default-channel.health.enabled | `+++false+++` | Whether to enable client-side health check for the channel.
+|spring.grpc.client.default-channel.address |  | The target address uri to connect to.
+|spring.grpc.client.default-channel.default-load-balancing-policy |  | The default load balancing policy the channel should use.
+|spring.grpc.client.default-channel.enable-keep-alive |  | Whether keep alive is enabled on the channel.
+|spring.grpc.client.default-channel.health.enabled |  | Whether to enable client-side health check for the channel.
 |spring.grpc.client.default-channel.health.service-name |  | Name of the service to check health on.
-|spring.grpc.client.default-channel.idle-timeout | `+++20s+++` | The duration without ongoing RPCs before going to idle mode.
-|spring.grpc.client.default-channel.keep-alive-time | `+++5m+++` | The delay before sending a keepAlive. Note that shorter intervals increase the network burden for the server and this value can not be lower than 'permitKeepAliveTime' on the server.
-|spring.grpc.client.default-channel.keep-alive-timeout | `+++20s+++` | The default timeout for a keepAlives ping request.
-|spring.grpc.client.default-channel.keep-alive-without-calls | `+++false+++` | Whether a keepAlive will be performed when there are no outstanding RPC on a connection.
-|spring.grpc.client.default-channel.max-inbound-message-size | `+++4194304B+++` | Maximum message size allowed to be received by the channel (default 4MiB). Set to '-1' to use the highest possible limit (not recommended).
-|spring.grpc.client.default-channel.max-inbound-metadata-size | `+++8192B+++` | Maximum metadata size allowed to be received by the channel (default 8KiB). Set to '-1' to use the highest possible limit (not recommended).
-|spring.grpc.client.default-channel.negotiation-type | `+++plaintext+++` | The negotiation type for the channel.
-|spring.grpc.client.default-channel.secure | `+++true+++` | Flag to say that strict SSL checks are not enabled (so the remote certificate could be anonymous).
+|spring.grpc.client.default-channel.idle-timeout |  | The duration without ongoing RPCs before going to idle mode.
+|spring.grpc.client.default-channel.keep-alive-time |  | The delay before sending a keepAlive. Note that shorter intervals increase the network burden for the server and this value can not be lower than 'permitKeepAliveTime' on the server.
+|spring.grpc.client.default-channel.keep-alive-timeout |  | The default timeout for a keepAlives ping request.
+|spring.grpc.client.default-channel.keep-alive-without-calls |  | Whether a keepAlive will be performed when there are no outstanding RPC on a connection.
+|spring.grpc.client.default-channel.max-inbound-message-size |  | Maximum message size allowed to be received by the channel (default 4MiB). Set to '-1' to use the highest possible limit (not recommended).
+|spring.grpc.client.default-channel.max-inbound-metadata-size |  | Maximum metadata size allowed to be received by the channel (default 8KiB). Set to '-1' to use the highest possible limit (not recommended).
+|spring.grpc.client.default-channel.negotiation-type |  | The negotiation type for the channel.
+|spring.grpc.client.default-channel.secure |  | Flag to say that strict SSL checks are not enabled (so the remote certificate could be anonymous).
 |spring.grpc.client.default-channel.ssl.bundle |  | SSL bundle name.
 |spring.grpc.client.default-channel.ssl.enabled |  | Whether to enable SSL support. Enabled automatically if "bundle" is provided unless specified otherwise.
 |spring.grpc.client.default-channel.user-agent |  | The custom User-Agent for the channel.
 |spring.grpc.client.observations.enabled | `+++true+++` | Whether to enable Observations on the client.
 |spring.grpc.server.address |  | The address to bind to. could be a host:port combination or a pseudo URL like static://host:port. Can not be set if host or port are set independently.
 |spring.grpc.server.exception-handling.enabled | `+++true+++` | Whether to enable user-defined global exception handling on the gRPC server.
-|spring.grpc.server.health.actuator.enabled | `+++true+++` | Whether to adapt Actuator health indicators into gRPC health checks.
+|spring.grpc.server.health.actuator.enabled |  | Whether to adapt Actuator health indicators into gRPC health checks.
 |spring.grpc.server.health.actuator.health-indicator-paths |  | List of Actuator health indicator paths to adapt into gRPC health checks.
-|spring.grpc.server.health.actuator.update-initial-delay | `+++5s+++` | The initial delay before updating the health status the very first time.
-|spring.grpc.server.health.actuator.update-overall-health | `+++true+++` | Whether to update the overall gRPC server health (the '' service) with the aggregate status of the configured health indicators.
-|spring.grpc.server.health.actuator.update-rate | `+++5s+++` | How often to update the health status.
-|spring.grpc.server.health.enabled | `+++true+++` | Whether to auto-configure Health feature on the gRPC server.
-|spring.grpc.server.host | `+++*+++` | Server address to bind to. The default is any IP address ('*').
+|spring.grpc.server.health.actuator.update-initial-delay |  | The initial delay before updating the health status the very first time.
+|spring.grpc.server.health.actuator.update-overall-health |  | Whether to update the overall gRPC server health (the '' service) with the aggregate status of the configured health indicators.
+|spring.grpc.server.health.actuator.update-rate |  | How often to update the health status.
+|spring.grpc.server.health.enabled |  | Whether to auto-configure Health feature on the gRPC server.
+|spring.grpc.server.host |  | Server address to bind to. The default is any IP address ('*').
 |spring.grpc.server.keep-alive.max-age |  | Maximum time a connection may exist before being gracefully terminated (default infinite).
 |spring.grpc.server.keep-alive.max-age-grace |  | Maximum time for graceful connection termination (default infinite).
 |spring.grpc.server.keep-alive.max-idle |  | Maximum time a connection can remain idle before being gracefully terminated (default infinite).
-|spring.grpc.server.keep-alive.permit-time | `+++5m+++` | Maximum keep-alive time clients are permitted to configure (default 5m).
-|spring.grpc.server.keep-alive.permit-without-calls | `+++false+++` | Whether clients are permitted to send keep alive pings when there are no outstanding RPCs on the connection (default false).
-|spring.grpc.server.keep-alive.time | `+++2h+++` | Duration without read activity before sending a keep alive ping (default 2h).
-|spring.grpc.server.keep-alive.timeout | `+++20s+++` | Maximum time to wait for read activity after sending a keep alive ping. If sender does not receive an acknowledgment within this time, it will close the connection (default 20s).
-|spring.grpc.server.max-inbound-message-size | `+++4194304B+++` | Maximum message size allowed to be received by the server (default 4MiB).
-|spring.grpc.server.max-inbound-metadata-size | `+++8192B+++` | Maximum metadata size allowed to be received by the server (default 8KiB).
+|spring.grpc.server.keep-alive.permit-time |  | Maximum keep-alive time clients are permitted to configure (default 5m).
+|spring.grpc.server.keep-alive.permit-without-calls |  | Whether clients are permitted to send keep alive pings when there are no outstanding RPCs on the connection (default false).
+|spring.grpc.server.keep-alive.time |  | Duration without read activity before sending a keep alive ping (default 2h).
+|spring.grpc.server.keep-alive.timeout |  | Maximum time to wait for read activity after sending a keep alive ping. If sender does not receive an acknowledgment within this time, it will close the connection (default 20s).
+|spring.grpc.server.max-inbound-message-size |  | Maximum message size allowed to be received by the server (default 4MiB).
+|spring.grpc.server.max-inbound-metadata-size |  | Maximum metadata size allowed to be received by the server (default 8KiB).
 |spring.grpc.server.observations.enabled | `+++true+++` | Whether to enable Observations on the server.
 |spring.grpc.server.port | `+++9090+++` | Server port to listen on. When the value is 0, a random available port is selected. The default is 9090.
 |spring.grpc.server.reflection.enabled | `+++true+++` | Whether to enable Reflection on the gRPC server.
-|spring.grpc.server.shutdown-grace-period | `+++30s+++` | Maximum time to wait for the server to gracefully shutdown. When the value is negative, the server waits forever. When the value is 0, the server will force shutdown immediately. The default is 30 seconds.
+|spring.grpc.server.shutdown-grace-period |  | Maximum time to wait for the server to gracefully shutdown. When the value is negative, the server waits forever. When the value is 0, the server will force shutdown immediately. The default is 30 seconds.
 |spring.grpc.server.ssl.bundle |  | SSL bundle name.
-|spring.grpc.server.ssl.client-auth | `+++none+++` | Client authentication mode.
+|spring.grpc.server.ssl.client-auth |  | Client authentication mode.
 |spring.grpc.server.ssl.enabled |  | Whether to enable SSL support. Enabled automatically if "bundle" is provided unless specified otherwise.
-|spring.grpc.server.ssl.secure | `+++true+++` | Flag to indicate that client authentication is secure (i.e. certificates are checked). Do not set this to false in production.
+|spring.grpc.server.ssl.secure |  | Flag to indicate that client authentication is secure (i.e. certificates are checked). Do not set this to false in production.
 
 |===

spring-grpc-spring-boot-autoconfigure/src/main/java/org/springframework/grpc/autoconfigure/server/security/GrpcDisableCsrfHttpConfigurer.java

@@ -0,0 +1,51 @@
+/*
+ * Copyright 2024-2024 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.grpc.autoconfigure.server.security;
+
+import org.springframework.context.ApplicationContext;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+
+/**
+ * A custom {@link AbstractHttpConfigurer} that disables CSRF protection for gRPC
+ * requests.
+ * <p>
+ * This configurer checks the application context to determine if CSRF protection should
+ * be disabled for gRPC requests based on the property
+ * {@code spring.grpc.security.csrf.enabled}. By default, CSRF protection is disabled
+ * unless explicitly enabled in the application properties.
+ * </p>
+ *
+ * @see AbstractHttpConfigurer
+ * @see HttpSecurity
+ * @author Dave Syer
+ */
+public class GrpcDisableCsrfHttpConfigurer extends AbstractHttpConfigurer<GrpcDisableCsrfHttpConfigurer, HttpSecurity> {
+
+	@Override
+	public void init(HttpSecurity http) throws Exception {
+		ApplicationContext context = http.getSharedObject(ApplicationContext.class);
+		if (context != null && isGrpcEmbedded(context)) {
+			http.csrf(csrf -> csrf.ignoringRequestMatchers(GrpcServletRequest.all()));
+		}
+	}
+
+	private boolean isGrpcEmbedded(ApplicationContext context) {
+		return context.getEnvironment().getProperty("spring.grpc.server.servlet.enabled", Boolean.class, true)
+				&& !context.getEnvironment().getProperty("spring.grpc.security.csrf.enabled", Boolean.class, false);
+	}
+
+}

spring-grpc-spring-boot-autoconfigure/src/main/resources/META-INF/spring.factories

@@ -0,0 +1,2 @@
+org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer=\
+org.springframework.grpc.autoconfigure.server.security.GrpcDisableCsrfHttpConfigurer