From 819529f5eac4659f34b74b7603f04e742314c415 Mon Sep 17 00:00:00 2001
From: Steve Riesenberg <sriesenberg@vmware.com>
Date: Thu, 13 Oct 2022 10:55:04 -0500
Subject: [PATCH] Remove CsrfSpec.tokenFromMultipartDataEnabled

Also removed ServerCsrfDsl.tokenFromMultipartDataEnabled

Closes gh-12020
---
 .../config/web/server/ServerHttpSecurity.java   | 17 -----------------
 .../security/config/web/server/ServerCsrfDsl.kt |  6 ------
 .../config/web/server/ServerCsrfDslTests.kt     |  4 +++-
 3 files changed, 3 insertions(+), 24 deletions(-)

diff --git a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
index 16e232a76e..e9e3e09381 100644
--- a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
@@ -149,7 +149,6 @@ import org.springframework.security.web.server.context.WebSessionServerSecurityC
 import org.springframework.security.web.server.csrf.CsrfServerLogoutHandler;
 import org.springframework.security.web.server.csrf.CsrfWebFilter;
 import org.springframework.security.web.server.csrf.ServerCsrfTokenRepository;
-import org.springframework.security.web.server.csrf.ServerCsrfTokenRequestAttributeHandler;
 import org.springframework.security.web.server.csrf.ServerCsrfTokenRequestHandler;
 import org.springframework.security.web.server.csrf.WebSessionServerCsrfTokenRepository;
 import org.springframework.security.web.server.header.CacheControlServerHttpHeadersWriter;
@@ -1865,22 +1864,6 @@ public class ServerHttpSecurity {
 			return this;
 		}
 
-		/**
-		 * Specifies if {@link CsrfWebFilter} should try to resolve the actual CSRF token
-		 * from the body of multipart data requests.
-		 * @param enabled true if should read from multipart form body, else false.
-		 * Default is false
-		 * @return the {@link CsrfSpec} for additional configuration
-		 * @deprecated Use
-		 * {@link ServerCsrfTokenRequestAttributeHandler#setTokenFromMultipartDataEnabled(boolean)}
-		 * instead
-		 */
-		@Deprecated
-		public CsrfSpec tokenFromMultipartDataEnabled(boolean enabled) {
-			this.filter.setTokenFromMultipartDataEnabled(enabled);
-			return this;
-		}
-
 		/**
 		 * Specifies a {@link ServerCsrfTokenRequestHandler} that is used to make the
 		 * {@code CsrfToken} available as an exchange attribute.
diff --git a/config/src/main/kotlin/org/springframework/security/config/web/server/ServerCsrfDsl.kt b/config/src/main/kotlin/org/springframework/security/config/web/server/ServerCsrfDsl.kt
index f9c9dc5f0d..f7cb6b8f1c 100644
--- a/config/src/main/kotlin/org/springframework/security/config/web/server/ServerCsrfDsl.kt
+++ b/config/src/main/kotlin/org/springframework/security/config/web/server/ServerCsrfDsl.kt
@@ -17,7 +17,6 @@
 package org.springframework.security.config.web.server
 
 import org.springframework.security.web.server.authorization.ServerAccessDeniedHandler
-import org.springframework.security.web.server.csrf.CsrfWebFilter
 import org.springframework.security.web.server.csrf.ServerCsrfTokenRepository
 import org.springframework.security.web.server.csrf.ServerCsrfTokenRequestHandler
 import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher
@@ -32,8 +31,6 @@ import org.springframework.security.web.server.util.matcher.ServerWebExchangeMat
  * @property csrfTokenRepository the [ServerCsrfTokenRepository] used to persist the CSRF token.
  * @property requireCsrfProtectionMatcher the [ServerWebExchangeMatcher] used to determine when CSRF protection
  * is enabled.
- * @property tokenFromMultipartDataEnabled if true, the [CsrfWebFilter] should try to resolve the actual CSRF
- * token from the body of multipart data requests.
  * @property csrfTokenRequestHandler the  [ServerCsrfTokenRequestHandler] that is used to make the CSRF token
  * available as an exchange attribute
  */
@@ -42,8 +39,6 @@ class ServerCsrfDsl {
     var accessDeniedHandler: ServerAccessDeniedHandler? = null
     var csrfTokenRepository: ServerCsrfTokenRepository? = null
     var requireCsrfProtectionMatcher: ServerWebExchangeMatcher? = null
-    @Deprecated("Use 'csrfTokenRequestHandler' instead")
-    var tokenFromMultipartDataEnabled: Boolean? = null
     var csrfTokenRequestHandler: ServerCsrfTokenRequestHandler? = null
 
     private var disabled = false
@@ -60,7 +55,6 @@ class ServerCsrfDsl {
             accessDeniedHandler?.also { csrf.accessDeniedHandler(accessDeniedHandler) }
             csrfTokenRepository?.also { csrf.csrfTokenRepository(csrfTokenRepository) }
             requireCsrfProtectionMatcher?.also { csrf.requireCsrfProtectionMatcher(requireCsrfProtectionMatcher) }
-            tokenFromMultipartDataEnabled?.also { csrf.tokenFromMultipartDataEnabled(tokenFromMultipartDataEnabled!!) }
             csrfTokenRequestHandler?.also { csrf.csrfTokenRequestHandler(csrfTokenRequestHandler) }
             if (disabled) {
                 csrf.disable()
diff --git a/config/src/test/kotlin/org/springframework/security/config/web/server/ServerCsrfDslTests.kt b/config/src/test/kotlin/org/springframework/security/config/web/server/ServerCsrfDslTests.kt
index 28dcf7dc21..4f6bd39b44 100644
--- a/config/src/test/kotlin/org/springframework/security/config/web/server/ServerCsrfDslTests.kt
+++ b/config/src/test/kotlin/org/springframework/security/config/web/server/ServerCsrfDslTests.kt
@@ -311,7 +311,9 @@ class ServerCsrfDslTests {
             return http {
                 csrf {
                     csrfTokenRepository = TOKEN_REPOSITORY
-                    tokenFromMultipartDataEnabled = true
+                    csrfTokenRequestHandler = XorServerCsrfTokenRequestAttributeHandler().apply {
+                        setTokenFromMultipartDataEnabled(true)
+                    }
                 }
             }
         }