Default to Xor CSRF tokens in CsrfFilter

Issue gh-11960

Author: Steve Riesenberg

config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultFiltersTests.java

@@ -51,8 +51,11 @@
 import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
 import org.springframework.security.web.csrf.CsrfFilter;
 import org.springframework.security.web.csrf.CsrfToken;
+import org.springframework.security.web.csrf.CsrfTokenRepository;
+import org.springframework.security.web.csrf.CsrfTokenRequestHandler;
 import org.springframework.security.web.csrf.DefaultCsrfToken;
 import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
+import org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler;
 import org.springframework.security.web.header.HeaderWriterFilter;
 import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
 import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
@@ -121,8 +124,12 @@ public void defaultFiltersPermitAll() throws IOException, ServletException {
 		MockHttpServletRequest request = new MockHttpServletRequest("POST", "");
 		request.setServletPath("/logout");
 		CsrfToken csrfToken = new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "BaseSpringSpec_CSRFTOKEN");
-		new HttpSessionCsrfTokenRepository().saveToken(csrfToken, request, response);
-		request.setParameter(csrfToken.getParameterName(), csrfToken.getToken());
+		CsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
+		repository.saveToken(csrfToken, request, response);
+		CsrfTokenRequestHandler handler = new XorCsrfTokenRequestAttributeHandler();
+		handler.handle(request, response, () -> csrfToken);
+		CsrfToken token = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
+		request.setParameter(token.getParameterName(), token.getToken());
 		this.spring.getContext().getBean("springSecurityFilterChain", Filter.class).doFilter(request, response,
 				new MockFilterChain());
 		assertThat(response.getRedirectedUrl()).isEqualTo("/login?logout");

config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultLoginPageConfigurerTests.java

@@ -85,7 +85,9 @@ public void loginPageThenDefaultLoginPageIsRendered() throws Exception {
 		String csrfAttributeName = HttpSessionCsrfTokenRepository.class.getName().concat(".CSRF_TOKEN");
 		// @formatter:off
 		this.mvc.perform(get("/login").sessionAttr(csrfAttributeName, csrfToken))
-				.andExpect(content().string("<!DOCTYPE html>\n"
+				.andExpect((result) -> {
+					CsrfToken token = (CsrfToken) result.getRequest().getAttribute(CsrfToken.class.getName());
+					assertThat(result.getResponse().getContentAsString()).isEqualTo("<!DOCTYPE html>\n"
 						+ "<html lang=\"en\">\n"
 						+ "  <head>\n"
 						+ "    <meta charset=\"utf-8\">\n"
@@ -108,11 +110,12 @@ public void loginPageThenDefaultLoginPageIsRendered() throws Exception {
 						+ "          <label for=\"password\" class=\"sr-only\">Password</label>\n"
 						+ "          <input type=\"password\" id=\"password\" name=\"password\" class=\"form-control\" placeholder=\"Password\" required>\n"
 						+ "        </p>\n"
-						+ "<input name=\"" + csrfToken.getParameterName() + "\" type=\"hidden\" value=\"" + csrfToken.getToken() + "\" />\n"
+						+ "<input name=\"" + token.getParameterName() + "\" type=\"hidden\" value=\"" + token.getToken() + "\" />\n"
 						+ "        <button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">Sign in</button>\n"
 						+ "      </form>\n"
 						+ "</div>\n"
-						+ "</body></html>"));
+						+ "</body></html>");
+				});
 		// @formatter:on
 	}
 
@@ -131,7 +134,9 @@ public void loginPageWhenErrorThenDefaultLoginPageWithError() throws Exception {
 		// @formatter:off
 		this.mvc.perform(get("/login?error").session((MockHttpSession) mvcResult.getRequest().getSession())
 				.sessionAttr(csrfAttributeName, csrfToken))
-				.andExpect(content().string("<!DOCTYPE html>\n"
+				.andExpect((result) -> {
+					CsrfToken token = (CsrfToken) result.getRequest().getAttribute(CsrfToken.class.getName());
+					assertThat(result.getResponse().getContentAsString()).isEqualTo("<!DOCTYPE html>\n"
 						+ "<html lang=\"en\">\n"
 						+ "  <head>\n"
 						+ "    <meta charset=\"utf-8\">\n"
@@ -153,11 +158,12 @@ public void loginPageWhenErrorThenDefaultLoginPageWithError() throws Exception {
 						+ "          <label for=\"password\" class=\"sr-only\">Password</label>\n"
 						+ "          <input type=\"password\" id=\"password\" name=\"password\" class=\"form-control\" placeholder=\"Password\" required>\n"
 						+ "        </p>\n"
-						+ "<input name=\"" + csrfToken.getParameterName() + "\" type=\"hidden\" value=\"" + csrfToken.getToken() + "\" />\n"
+						+ "<input name=\"" + token.getParameterName() + "\" type=\"hidden\" value=\"" + token.getToken() + "\" />\n"
 						+ "        <button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">Sign in</button>\n"
 						+ "      </form>\n"
 						+ "</div>\n"
-						+ "</body></html>"));
+						+ "</body></html>");
+				});
 		// @formatter:on
 	}
 
@@ -180,7 +186,9 @@ public void loginPageWhenLoggedOutThenDefaultLoginPageWithLogoutMessage() throws
 		String csrfAttributeName = HttpSessionCsrfTokenRepository.class.getName().concat(".CSRF_TOKEN");
 		// @formatter:off
 		this.mvc.perform(get("/login?logout").sessionAttr(csrfAttributeName, csrfToken))
-				.andExpect(content().string("<!DOCTYPE html>\n"
+				.andExpect((result) -> {
+					CsrfToken token = (CsrfToken) result.getRequest().getAttribute(CsrfToken.class.getName());
+					assertThat(result.getResponse().getContentAsString()).isEqualTo("<!DOCTYPE html>\n"
 						+ "<html lang=\"en\">\n"
 						+ "  <head>\n"
 						+ "    <meta charset=\"utf-8\">\n"
@@ -203,11 +211,12 @@ public void loginPageWhenLoggedOutThenDefaultLoginPageWithLogoutMessage() throws
 						+ "          <label for=\"password\" class=\"sr-only\">Password</label>\n"
 						+ "          <input type=\"password\" id=\"password\" name=\"password\" class=\"form-control\" placeholder=\"Password\" required>\n"
 						+ "        </p>\n"
-						+ "<input name=\"" + csrfToken.getParameterName() + "\" type=\"hidden\" value=\"" + csrfToken.getToken() + "\" />\n"
+						+ "<input name=\"" + token.getParameterName() + "\" type=\"hidden\" value=\"" + token.getToken() + "\" />\n"
 						+ "        <button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">Sign in</button>\n"
 						+ "      </form>\n"
 						+ "</div>\n"
-						+ "</body></html>"));
+						+ "</body></html>");
+				});
 		// @formatter:on
 	}
 
@@ -230,7 +239,9 @@ public void loginPageWhenRememberConfigureThenDefaultLoginPageWithRememberMeChec
 		String csrfAttributeName = HttpSessionCsrfTokenRepository.class.getName().concat(".CSRF_TOKEN");
 		// @formatter:off
 		this.mvc.perform(get("/login").sessionAttr(csrfAttributeName, csrfToken))
-				.andExpect(content().string("<!DOCTYPE html>\n"
+				.andExpect((result) -> {
+					CsrfToken token = (CsrfToken) result.getRequest().getAttribute(CsrfToken.class.getName());
+					assertThat(result.getResponse().getContentAsString()).isEqualTo("<!DOCTYPE html>\n"
 						+ "<html lang=\"en\">\n"
 						+ "  <head>\n"
 						+ "    <meta charset=\"utf-8\">\n"
@@ -254,11 +265,12 @@ public void loginPageWhenRememberConfigureThenDefaultLoginPageWithRememberMeChec
 						+ "          <input type=\"password\" id=\"password\" name=\"password\" class=\"form-control\" placeholder=\"Password\" required>\n"
 						+ "        </p>\n"
 						+ "<p><input type='checkbox' name='remember-me'/> Remember me on this computer.</p>\n"
-						+ "<input name=\"" + csrfToken.getParameterName() + "\" type=\"hidden\" value=\"" + csrfToken.getToken() + "\" />\n"
+						+ "<input name=\"" + token.getParameterName() + "\" type=\"hidden\" value=\"" + token.getToken() + "\" />\n"
 						+ "        <button class=\"btn btn-lg btn-primary btn-block\" type=\"submit\">Sign in</button>\n"
 						+ "      </form>\n"
 						+ "</div>\n"
-						+ "</body></html>"));
+						+ "</body></html>");
+				});
 		// @formatter:on
 	}
 

config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerServlet31Tests.java

@@ -39,7 +39,10 @@
 import org.springframework.security.web.context.HttpRequestResponseHolder;
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
 import org.springframework.security.web.csrf.CsrfToken;
+import org.springframework.security.web.csrf.CsrfTokenRequestHandler;
+import org.springframework.security.web.csrf.DeferredCsrfToken;
 import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
+import org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler;
 
 import static org.assertj.core.api.Assertions.assertThat;
 
@@ -82,8 +85,10 @@ public void changeSessionIdThenPreserveParameters() throws Exception {
 		request.setParameter("username", "user");
 		request.setParameter("password", "password");
 		HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
-		CsrfToken token = repository.generateToken(request);
-		repository.saveToken(token, request, this.response);
+		CsrfTokenRequestHandler handler = new XorCsrfTokenRequestAttributeHandler();
+		DeferredCsrfToken deferredCsrfToken = repository.loadDeferredToken(request, this.response);
+		handler.handle(request, this.response, deferredCsrfToken::get);
+		CsrfToken token = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
 		request.setParameter(token.getParameterName(), token.getToken());
 		request.getSession().setAttribute("attribute1", "value1");
 		loadConfig(SessionManagementDefaultSessionFixationServlet31Config.class);

test/src/test/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessorsCsrfTests.java

@@ -40,7 +40,10 @@
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.csrf.CsrfToken;
+import org.springframework.security.web.csrf.CsrfTokenRequestHandler;
+import org.springframework.security.web.csrf.DeferredCsrfToken;
 import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
+import org.springframework.security.web.csrf.XorCsrfTokenRequestAttributeHandler;
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.test.context.web.WebAppConfiguration;
@@ -157,9 +160,12 @@ public void csrfWhenUsedThenDoesNotImpactOriginalRepository() throws Exception {
 		// @formatter:off
 		this.mockMvc.perform(post("/").with(csrf()));
 		MockHttpServletRequest request = new MockHttpServletRequest();
+		MockHttpServletResponse response = new MockHttpServletResponse();
 		HttpSessionCsrfTokenRepository repo = new HttpSessionCsrfTokenRepository();
-		CsrfToken token = repo.generateToken(request);
-		repo.saveToken(token, request, new MockHttpServletResponse());
+		CsrfTokenRequestHandler handler = new XorCsrfTokenRequestAttributeHandler();
+		DeferredCsrfToken deferredCsrfToken = repo.loadDeferredToken(request, response);
+		handler.handle(request, response, deferredCsrfToken::get);
+		CsrfToken token = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
 		MockHttpServletRequestBuilder requestWithCsrf = post("/")
 			.param(token.getParameterName(), token.getToken())
 			.session((MockHttpSession) request.getSession());

web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java

@@ -87,7 +87,7 @@ public final class CsrfFilter extends OncePerRequestFilter {
 
 	private AccessDeniedHandler accessDeniedHandler = new AccessDeniedHandlerImpl();
 
-	private CsrfTokenRequestHandler requestHandler = new CsrfTokenRequestAttributeHandler();
+	private CsrfTokenRequestHandler requestHandler = new XorCsrfTokenRequestAttributeHandler();
 
 	/**
 	 * Creates a new instance.