Remove CsrfSpec.tokenFromMultipartDataEnabled

Also removed ServerCsrfDsl.tokenFromMultipartDataEnabled

Closes gh-12020

Author: Steve Riesenberg

config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java

@@ -149,7 +149,6 @@
 import org.springframework.security.web.server.csrf.CsrfServerLogoutHandler;
 import org.springframework.security.web.server.csrf.CsrfWebFilter;
 import org.springframework.security.web.server.csrf.ServerCsrfTokenRepository;
-import org.springframework.security.web.server.csrf.ServerCsrfTokenRequestAttributeHandler;
 import org.springframework.security.web.server.csrf.ServerCsrfTokenRequestHandler;
 import org.springframework.security.web.server.csrf.WebSessionServerCsrfTokenRepository;
 import org.springframework.security.web.server.header.CacheControlServerHttpHeadersWriter;
@@ -1865,22 +1864,6 @@ public CsrfSpec requireCsrfProtectionMatcher(ServerWebExchangeMatcher requireCsr
 			return this;
 		}
 
-		/**
-		 * Specifies if {@link CsrfWebFilter} should try to resolve the actual CSRF token
-		 * from the body of multipart data requests.
-		 * @param enabled true if should read from multipart form body, else false.
-		 * Default is false
-		 * @return the {@link CsrfSpec} for additional configuration
-		 * @deprecated Use
-		 * {@link ServerCsrfTokenRequestAttributeHandler#setTokenFromMultipartDataEnabled(boolean)}
-		 * instead
-		 */
-		@Deprecated
-		public CsrfSpec tokenFromMultipartDataEnabled(boolean enabled) {
-			this.filter.setTokenFromMultipartDataEnabled(enabled);
-			return this;
-		}
-
 		/**
 		 * Specifies a {@link ServerCsrfTokenRequestHandler} that is used to make the
 		 * {@code CsrfToken} available as an exchange attribute.

config/src/main/kotlin/org/springframework/security/config/web/server/ServerCsrfDsl.kt

@@ -17,7 +17,6 @@
 package org.springframework.security.config.web.server
 
 import org.springframework.security.web.server.authorization.ServerAccessDeniedHandler
-import org.springframework.security.web.server.csrf.CsrfWebFilter
 import org.springframework.security.web.server.csrf.ServerCsrfTokenRepository
 import org.springframework.security.web.server.csrf.ServerCsrfTokenRequestHandler
 import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher
@@ -32,8 +31,6 @@ import org.springframework.security.web.server.util.matcher.ServerWebExchangeMat
  * @property csrfTokenRepository the [ServerCsrfTokenRepository] used to persist the CSRF token.
  * @property requireCsrfProtectionMatcher the [ServerWebExchangeMatcher] used to determine when CSRF protection
  * is enabled.
- * @property tokenFromMultipartDataEnabled if true, the [CsrfWebFilter] should try to resolve the actual CSRF
- * token from the body of multipart data requests.
  * @property csrfTokenRequestHandler the  [ServerCsrfTokenRequestHandler] that is used to make the CSRF token
  * available as an exchange attribute
  */
@@ -42,8 +39,6 @@ class ServerCsrfDsl {
     var accessDeniedHandler: ServerAccessDeniedHandler? = null
     var csrfTokenRepository: ServerCsrfTokenRepository? = null
     var requireCsrfProtectionMatcher: ServerWebExchangeMatcher? = null
-    @Deprecated("Use 'csrfTokenRequestHandler' instead")
-    var tokenFromMultipartDataEnabled: Boolean? = null
     var csrfTokenRequestHandler: ServerCsrfTokenRequestHandler? = null
 
     private var disabled = false
@@ -60,7 +55,6 @@ class ServerCsrfDsl {
             accessDeniedHandler?.also { csrf.accessDeniedHandler(accessDeniedHandler) }
             csrfTokenRepository?.also { csrf.csrfTokenRepository(csrfTokenRepository) }
             requireCsrfProtectionMatcher?.also { csrf.requireCsrfProtectionMatcher(requireCsrfProtectionMatcher) }
-            tokenFromMultipartDataEnabled?.also { csrf.tokenFromMultipartDataEnabled(tokenFromMultipartDataEnabled!!) }
             csrfTokenRequestHandler?.also { csrf.csrfTokenRequestHandler(csrfTokenRequestHandler) }
             if (disabled) {
                 csrf.disable()

config/src/test/kotlin/org/springframework/security/config/web/server/ServerCsrfDslTests.kt

@@ -311,7 +311,9 @@ class ServerCsrfDslTests {
             return http {
                 csrf {
                     csrfTokenRepository = TOKEN_REPOSITORY
-                    tokenFromMultipartDataEnabled = true
+                    csrfTokenRequestHandler = XorServerCsrfTokenRequestAttributeHandler().apply {
+                        setTokenFromMultipartDataEnabled(true)
+                    }
                 }
             }
         }