use customized SpaCsrfTokenRequestHandler to handle CSRF token

[yhao3]

Description

In the production configuration, the server has enabled the compression feature (as shown below):

server:
  port: 8080
  shutdown: graceful # see https://docs.spring.io/spring-boot/docs/current/reference/html/spring-boot-features.html#boot-features-graceful-shutdown
  compression:
    enabled: true
    mime-types: text/html,text/xml,text/plain,text/css,application/javascript,application/json,image/svg+xml
    min-response-size: 1024

This implies that the server might be vulnerable to BREACH attacks. Currently, in the SecurityConfiguration, we're using CsrfTokenRequestAttributeHandler to manage Csrf Tokens. However, according to the official documentation, "The primary use of CsrfTokenRequestAttributeHandler is to opt-out of BREACH protection of the CsrfToken" because the value of X-Xsrf-Token in the response headers remains constant for every request.

Following the guidance from the Spring Security official documentation, I found the following section:

Integrating with CSRF Protection > JavaScript Applications > Single-Page Applications

In fact, for single-page applications (SPAs), we can use XorCsrfTokenRequestAttributeHandler in conjunction with CsrfTokenRequestAttributeHandler. By employing different implementations in various contexts to manage Csrf Tokens, we can leverage the capabilities of XorCsrfTokenRequestAttributeHandler to shield against BREACH attacks.

Therefore, I've submitted this pull request in alignment with the recommendations provided in the official documentation.

[yhao3]

Hi @mshima, thank you for your review. I've made adjustments based on your suggestions. Could you please review again? Thanks!