CsrfTokenRequestHandler extends CsrfTokenRequestResolver

Closes gh-11896
2026-05-22 21:33:16 +00:00 · 2022-09-23 11:18:31 -05:00
parent d140d95305
commit 46696a9226
18 changed files with 155 additions and 188 deletions
@@ -36,8 +36,8 @@ import org.springframework.security.web.csrf.CsrfAuthenticationStrategy;
 import org.springframework.security.web.csrf.CsrfFilter;
 import org.springframework.security.web.csrf.CsrfLogoutHandler;
 import org.springframework.security.web.csrf.CsrfTokenRepository;
+import org.springframework.security.web.csrf.CsrfTokenRepositoryRequestHandler;
 import org.springframework.security.web.csrf.CsrfTokenRequestHandler;
-import org.springframework.security.web.csrf.CsrfTokenRequestResolver;
 import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
 import org.springframework.security.web.csrf.LazyCsrfTokenRepository;
 import org.springframework.security.web.csrf.MissingCsrfTokenException;
@@ -93,8 +93,6 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>

 	private CsrfTokenRequestHandler requestHandler;

-	private CsrfTokenRequestResolver requestResolver;
-
 	private final ApplicationContext context;

 	/**
@@ -135,23 +133,13 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
 	 * available as a request attribute.
 	 * @param requestHandler the {@link CsrfTokenRequestHandler} to use
 	 * @return the {@link CsrfConfigurer} for further customizations
+	 * @since 5.8
 	 */
 	public CsrfConfigurer<H> csrfTokenRequestHandler(CsrfTokenRequestHandler requestHandler) {
 		this.requestHandler = requestHandler;
 		return this;
 	}

-	/**
-	 * Specify a {@link CsrfTokenRequestResolver} to use for resolving the token value
-	 * from the request.
-	 * @param requestResolver the {@link CsrfTokenRequestResolver} to use
-	 * @return the {@link CsrfConfigurer} for further customizations
-	 */
-	public CsrfConfigurer<H> csrfTokenRequestResolver(CsrfTokenRequestResolver requestResolver) {
-		this.requestResolver = requestResolver;
-		return this;
-	}
-
 	/**
 	 * <p>
 	 * Allows specifying {@link HttpServletRequest} that should not use CSRF Protection
@@ -229,7 +217,13 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
 	@SuppressWarnings("unchecked")
 	@Override
 	public void configure(H http) {
-		CsrfFilter filter = new CsrfFilter(this.csrfTokenRepository);
+		CsrfFilter filter;
+		if (this.requestHandler != null) {
+			filter = new CsrfFilter(this.requestHandler);
+		}
+		else {
+			filter = new CsrfFilter(new CsrfTokenRepositoryRequestHandler(this.csrfTokenRepository));
+		}
 		RequestMatcher requireCsrfProtectionMatcher = getRequireCsrfProtectionMatcher();
 		if (requireCsrfProtectionMatcher != null) {
 			filter.setRequireCsrfProtectionMatcher(requireCsrfProtectionMatcher);
@@ -246,12 +240,6 @@ public final class CsrfConfigurer<H extends HttpSecurityBuilder<H>>
 		if (sessionConfigurer != null) {
 			sessionConfigurer.addSessionAuthenticationStrategy(getSessionAuthenticationStrategy());
 		}
-		if (this.requestHandler != null) {
-			filter.setRequestHandler(this.requestHandler);
-		}
-		if (this.requestResolver != null) {
-			filter.setRequestResolver(this.requestResolver);
-		}
 		filter = postProcess(filter);
 		http.addFilter(filter);
 	}
@@ -41,6 +41,7 @@ import org.springframework.security.web.access.DelegatingAccessDeniedHandler;
 import org.springframework.security.web.csrf.CsrfAuthenticationStrategy;
 import org.springframework.security.web.csrf.CsrfFilter;
 import org.springframework.security.web.csrf.CsrfLogoutHandler;
+import org.springframework.security.web.csrf.CsrfTokenRepositoryRequestHandler;
 import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
 import org.springframework.security.web.csrf.LazyCsrfTokenRepository;
 import org.springframework.security.web.csrf.MissingCsrfTokenException;
@@ -73,8 +74,6 @@ public class CsrfBeanDefinitionParser implements BeanDefinitionParser {

 	private static final String ATT_REQUEST_HANDLER = "request-handler-ref";

-	private static final String ATT_REQUEST_RESOLVER = "request-resolver-ref";
-
 	private String csrfRepositoryRef;

 	private BeanDefinition csrfFilter;
@@ -83,8 +82,6 @@ public class CsrfBeanDefinitionParser implements BeanDefinitionParser {

 	private String requestHandlerRef;

-	private String requestResolverRef;
-
 	@Override
 	public BeanDefinition parse(Element element, ParserContext pc) {
 		boolean disabled = element != null && "true".equals(element.getAttribute("disabled"));
@@ -104,7 +101,6 @@ public class CsrfBeanDefinitionParser implements BeanDefinitionParser {
 			this.csrfRepositoryRef = element.getAttribute(ATT_REPOSITORY);
 			this.requestMatcherRef = element.getAttribute(ATT_MATCHER);
 			this.requestHandlerRef = element.getAttribute(ATT_REQUEST_HANDLER);
-			this.requestResolverRef = element.getAttribute(ATT_REQUEST_RESOLVER);
 		}
 		if (!StringUtils.hasText(this.csrfRepositoryRef)) {
 			RootBeanDefinition csrfTokenRepository = new RootBeanDefinition(HttpSessionCsrfTokenRepository.class);
@@ -116,16 +112,18 @@ public class CsrfBeanDefinitionParser implements BeanDefinitionParser {
 					new BeanComponentDefinition(lazyTokenRepository.getBeanDefinition(), this.csrfRepositoryRef));
 		}
 		BeanDefinitionBuilder builder = BeanDefinitionBuilder.rootBeanDefinition(CsrfFilter.class);
-		builder.addConstructorArgReference(this.csrfRepositoryRef);
+		if (!StringUtils.hasText(this.requestHandlerRef)) {
+			BeanDefinition csrfTokenRequestHandler = BeanDefinitionBuilder
+					.rootBeanDefinition(CsrfTokenRepositoryRequestHandler.class)
+					.addConstructorArgReference(this.csrfRepositoryRef).getBeanDefinition();
+			builder.addConstructorArgValue(csrfTokenRequestHandler);
+		}
+		else {
+			builder.addConstructorArgReference(this.requestHandlerRef);
+		}
 		if (StringUtils.hasText(this.requestMatcherRef)) {
 			builder.addPropertyReference("requireCsrfProtectionMatcher", this.requestMatcherRef);
 		}
-		if (StringUtils.hasText(this.requestHandlerRef)) {
-			builder.addPropertyReference("requestHandler", this.requestHandlerRef);
-		}
-		if (StringUtils.hasText(this.requestResolverRef)) {
-			builder.addPropertyReference("requestResolver", this.requestResolverRef);
-		}
 		this.csrfFilter = builder.getBeanDefinition();
 		return this.csrfFilter;
 	}
@@ -1154,9 +1154,6 @@ csrf-options.attlist &=
 csrf-options.attlist &=
 	## The CsrfTokenRequestHandler to use. The default is CsrfTokenRequestProcessor.
 	attribute request-handler-ref { xsd:token }?
-csrf-options.attlist &=
-	## The CsrfTokenRequestResolver to use. The default is CsrfTokenRequestProcessor.
-	attribute request-resolver-ref { xsd:token }?

 headers =
 ## Element for configuration of the HeaderWritersFilter. Enables easy setting for the X-Frame-Options, X-XSS-Protection and X-Content-Type-Options headers.
@@ -3258,13 +3258,7 @@
      </xs:attribute>
      <xs:attribute name="request-handler-ref" type="xs:token">
         <xs:annotation>
-            <xs:documentation>The CsrfTokenRequestHandler to use. The default is CsrfTokenRequestProcessor.
-                </xs:documentation>
-         </xs:annotation>
-      </xs:attribute>
-      <xs:attribute name="request-resolver-ref" type="xs:token">
-         <xs:annotation>
-            <xs:documentation>The CsrfTokenRequestResolver to use. The default is CsrfTokenRequestProcessor.
+            <xs:documentation>The CsrfTokenRequestHandler to use. The default is CsrfTokenRepositoryRequestHandler.
                </xs:documentation>
         </xs:annotation>
      </xs:attribute>
@@ -33,7 +33,7 @@ import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.web.DefaultSecurityFilterChain;
 import org.springframework.security.web.FilterChainProxy;
-import org.springframework.security.web.csrf.CsrfTokenRequestProcessor;
+import org.springframework.security.web.csrf.CsrfTokenRepositoryRequestHandler;
 import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
 import org.springframework.security.web.csrf.LazyCsrfTokenRepository;
 import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
@@ -85,7 +85,7 @@ public class DeferHttpSessionJavaConfigTests {
 			csrfRepository.setDeferLoadToken(true);
 			HttpSessionRequestCache requestCache = new HttpSessionRequestCache();
 			requestCache.setMatchingRequestParameterName("continue");
-			CsrfTokenRequestProcessor requestHandler = new CsrfTokenRequestProcessor();
+			CsrfTokenRepositoryRequestHandler requestHandler = new CsrfTokenRepositoryRequestHandler();
 			requestHandler.setCsrfRequestAttributeName("_csrf");
 			// @formatter:off
 			http
@@ -44,7 +44,7 @@ import org.springframework.security.web.access.AccessDeniedHandler;
 import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
 import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.security.web.csrf.CsrfTokenRepository;
-import org.springframework.security.web.csrf.CsrfTokenRequestProcessor;
+import org.springframework.security.web.csrf.CsrfTokenRepositoryRequestHandler;
 import org.springframework.security.web.csrf.DefaultCsrfToken;
 import org.springframework.security.web.firewall.StrictHttpFirewall;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@@ -422,8 +422,7 @@ public class CsrfConfigurerTests {
 		CsrfTokenRepository csrfTokenRepository = mock(CsrfTokenRepository.class);
 		CsrfToken csrfToken = new DefaultCsrfToken("X-CSRF-TOKEN", "_csrf", "token");
 		given(csrfTokenRepository.generateToken(any(HttpServletRequest.class))).willReturn(csrfToken);
-		CsrfTokenRequestProcessorConfig.PROCESSOR = new CsrfTokenRequestProcessor();
-		CsrfTokenRequestProcessorConfig.PROCESSOR.setTokenRepository(csrfTokenRepository);
+		CsrfTokenRequestProcessorConfig.HANDLER = new CsrfTokenRepositoryRequestHandler(csrfTokenRepository);
 		this.spring.register(CsrfTokenRequestProcessorConfig.class, BasicController.class).autowire();
 		this.mvc.perform(get("/login")).andExpect(status().isOk())
 				.andExpect(content().string(containsString(csrfToken.getToken())));
@@ -440,8 +439,7 @@ public class CsrfConfigurerTests {
 		CsrfTokenRepository csrfTokenRepository = mock(CsrfTokenRepository.class);
 		given(csrfTokenRepository.loadToken(any(HttpServletRequest.class))).willReturn(null, csrfToken);
 		given(csrfTokenRepository.generateToken(any(HttpServletRequest.class))).willReturn(csrfToken);
-		CsrfTokenRequestProcessorConfig.PROCESSOR = new CsrfTokenRequestProcessor();
-		CsrfTokenRequestProcessorConfig.PROCESSOR.setTokenRepository(csrfTokenRepository);
+		CsrfTokenRequestProcessorConfig.HANDLER = new CsrfTokenRepositoryRequestHandler(csrfTokenRepository);

 		this.spring.register(CsrfTokenRequestProcessorConfig.class, BasicController.class).autowire();
 		// @formatter:off
@@ -803,7 +801,7 @@ public class CsrfConfigurerTests {
 	@EnableWebSecurity
 	static class CsrfTokenRequestProcessorConfig {

-		static CsrfTokenRequestProcessor PROCESSOR;
+		static CsrfTokenRepositoryRequestHandler HANDLER;

 		@Bean
 		SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
@@ -813,10 +811,7 @@ public class CsrfConfigurerTests {
 					.anyRequest().authenticated()
 				)
 				.formLogin(Customizer.withDefaults())
-				.csrf((csrf) -> csrf
-					.csrfTokenRequestHandler(PROCESSOR)
-					.csrfTokenRequestResolver(PROCESSOR)
-				);
+				.csrf((csrf) -> csrf.csrfTokenRequestHandler(HANDLER));
 			// @formatter:on

 			return http.build();
@@ -26,7 +26,7 @@
 		<csrf request-handler-ref="requestHandler"/>
 	</http>

-	<b:bean id="requestHandler" class="org.springframework.security.web.csrf.CsrfTokenRequestProcessor"
+	<b:bean id="requestHandler" class="org.springframework.security.web.csrf.CsrfTokenRepositoryRequestHandler"
 		p:csrfRequestAttributeName="csrf-attribute-name"/>
 	<b:import resource="CsrfConfigTests-shared-userservice.xml"/>
 </b:beans>
@@ -42,7 +42,7 @@
 	<b:bean id="csrfRepository" class="org.springframework.security.web.csrf.LazyCsrfTokenRepository"
 		c:delegate-ref="httpSessionCsrfRepository"
 	 	p:deferLoadToken="true"/>
-	<b:bean id="requestHandler" class="org.springframework.security.web.csrf.CsrfTokenRequestProcessor"
+	<b:bean id="requestHandler" class="org.springframework.security.web.csrf.CsrfTokenRepositoryRequestHandler"
 		p:csrfRequestAttributeName="_csrf"/>
 	<b:import resource="CsrfConfigTests-shared-userservice.xml"/>
 </b:beans>