@@ -13,6 +13,64 @@ endif::[]
1313
1414== Servlet
1515
16+ === Defer Loading CsrfToken
17+
18+ In Spring Security 5, the default behavior is that the `CsrfToken` will be loaded on every request.
19+ This means that in a typical setup, the `HttpSession` must be read for every request even if it is unnecessary.
20+
21+ In Spring Security 6, the default is that the lookup of the `CsrfToken` will be deferred until it is needed.
22+
23+ To opt into the new Spring Security 6 default, the following configuration can be used.
24+
25+ .Defer Loading `CsrfToken`
26+ ====
27+ .Java
28+ [source,java,role="primary"]
29+ ----
30+ @Bean
31+ DefaultSecurityFilterChain springSecurity(HttpSecurity http) throws Exception {
32+ CsrfTokenRequestAttributeHandler requestHandler = new CsrfTokenRequestAttributeHandler();
33+ // set the name of the attribute the CsrfToken will be populated on
34+ requestHandler.setCsrfRequestAttributeName("_csrf");
35+ http
36+ // ...
37+ .csrf((csrf) -> csrf
38+ .csrfTokenRequestHandler(requestHandler)
39+ );
40+ return http.build();
41+ }
42+ ----
43+
44+ .Kotlin
45+ [source,kotlin,role="secondary"]
46+ ----
47+ @Bean
48+ open fun springSecurity(http: HttpSecurity): SecurityFilterChain {
49+ val requestHandler = CsrfTokenRequestAttributeHandler()
50+ // set the name of the attribute the CsrfToken will be populated on
51+ requestHandler.setCsrfRequestAttributeName("_csrf")
52+ http {
53+ csrf {
54+ csrfTokenRequestHandler = requestHandler
55+ }
56+ }
57+ return http.build()
58+ }
59+ ----
60+
61+ .XML
62+ [source,xml,role="secondary"]
63+ ----
64+ <http>
65+ <!-- ... -->
66+ <csrf request-handler-ref="requestHandler"/>
67+ </http>
68+ <b:bean id="requestHandler"
69+ class="org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler"
70+ p:csrfRequestAttributeName="_csrf"/>
71+ ----
72+ ====
73+
1674=== Explicit Save SecurityContextRepository
1775
1876In Spring Security 5, the default behavior is for the xref:servlet/authentication/architecture.adoc#servlet-authentication-securitycontext[`SecurityContext`] to automatically be saved to the xref:servlet/authentication/persistence.adoc#securitycontextrepository[`SecurityContextRepository`] using the xref:servlet/authentication/persistence.adoc#securitycontextpersistencefilter[`SecurityContextPersistenceFilter`].
@@ -170,10 +228,10 @@ static PermissionEvaluator permissionEvaluator() {
170228[source,kotlin,role="secondary"]
171229----
172230companion object {
173- @Bean
174- fun permissionEvaluator(): PermissionEvaluator {
175- // ... your evaluator
176- }
231+ @Bean
232+ fun permissionEvaluator(): PermissionEvaluator {
233+ // ... your evaluator
234+ }
177235}
178236----
179237====
@@ -186,22 +244,22 @@ to:
186244----
187245@Bean
188246static MethodSecurityExpressionHandler expressionHandler() {
189- var expressionHandler = new DefaultMethodSecurityExpressionHandler();
190- expressionHandler.setPermissionEvaluator(myPermissionEvaluator);
191- return expressionHandler;
247+ var expressionHandler = new DefaultMethodSecurityExpressionHandler();
248+ expressionHandler.setPermissionEvaluator(myPermissionEvaluator);
249+ return expressionHandler;
192250}
193251----
194252
195253.Kotlin
196254[source,kotlin,role="secondary"]
197255----
198256companion object {
199- @Bean
200- fun expressionHandler(): MethodSecurityExpressionHandler {
201- val expressionHandler = DefaultMethodSecurityExpressionHandler
202- expressionHandler.setPermissionEvaluator(myPermissionEvaluator)
203- return expressionHandler
204- }
257+ @Bean
258+ fun expressionHandler(): MethodSecurityExpressionHandler {
259+ val expressionHandler = DefaultMethodSecurityExpressionHandler
260+ expressionHandler.setPermissionEvaluator(myPermissionEvaluator)
261+ return expressionHandler
262+ }
205263}
206264----
207265====
0 commit comments