diff --git a/docs/manual/src/docs/asciidoc/_includes/reactive/exploits/csrf.adoc b/docs/manual/src/docs/asciidoc/_includes/reactive/exploits/csrf.adoc index c59c18db32..b5f5652b51 100644 --- a/docs/manual/src/docs/asciidoc/_includes/reactive/exploits/csrf.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/reactive/exploits/csrf.adoc @@ -34,9 +34,10 @@ These defaults come from https://docs.angularjs.org/api/ng/service/$http#cross-s You can configure `CookieCsrfTokenRepository` in Java Configuration using: -.Store CSRF Token in a Cookie with Java Configuration +.Store CSRF Token in a Cookie ==== -[source,java] +.Java +[source,java,role="primary"] ----- @Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { @@ -46,6 +47,20 @@ public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) return http.build(); } ----- + +.Kotlin +[source,kotlin,role="secondary"] +----- +@Bean +fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain { + return http { + // ... + csrf { + csrfTokenRepository = CookieServerCsrfTokenRepository.withHttpOnlyFalse() + } + } +} +----- ==== [NOTE] @@ -62,9 +77,10 @@ However, it is simple to disable CSRF protection if it < { + val csrfToken: Mono? = exchange.getAttribute(CsrfToken::class.java.name) + return csrfToken!!.doOnSuccess { token -> + exchange.attributes[CsrfRequestDataValueProcessor.DEFAULT_CSRF_ATTR_NAME] = token + } + } +} +---- ==== Fortunately, Thymeleaf provides <> that works without any additional work. @@ -253,7 +299,8 @@ For example, the following Java Configuration will perform logout with the URL ` .Log out with HTTP GET ==== -[source,java] +.Java +[source,java,role="primary"] ---- @Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { @@ -262,7 +309,20 @@ public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) .logout(logout -> logout.requiresLogout(new PathPatternParserServerWebExchangeMatcher("/logout"))) return http.build(); } +---- +.Kotlin +[source,kotlin,role="secondary"] +---- +@Bean +fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain { + return http { + // ... + logout { + requiresLogout = PathPatternParserServerWebExchangeMatcher("/logout") + } + } +} ---- ==== @@ -301,7 +361,8 @@ In a WebFlux application, this can be configured with the following configuratio .Enable obtaining CSRF token from multipart/form-data ==== -[source,java] +.Java +[source,java,role="primary"] ---- @Bean public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) { @@ -310,7 +371,20 @@ public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) .csrf(csrf -> csrf.tokenFromMultipartDataEnabled(true)) return http.build(); } +---- +.Kotlin +[source,kotlin,role="secondary"] +---- +@Bean +fun springSecurityFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain { + return http { + // ... + csrf { + tokenFromMultipartDataEnabled = true + } + } +} ---- ====