Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support XorCsrfTokenRequestAttributeHandler #14923

Closed
Artur- opened this issue Oct 26, 2022 · 4 comments · Fixed by #16521
Closed

Support XorCsrfTokenRequestAttributeHandler #14923

Artur- opened this issue Oct 26, 2022 · 4 comments · Fixed by #16521
Labels
enhancement Flow 24.0 prerelease version for Vaadin 24.1.0 Released with Vaadin 24.1.0.alpha3

Comments

@Artur-
Copy link
Member

Artur- commented Oct 26, 2022

Describe your motivation

Spring Security 6 switched to use XorCsrfTokenRequestAttributeHandler for the CSRF token by default in spring-projects/spring-security#11960. This is not supported by Hilla endpoints right now. The login handler returns the CsrfTokenRequestAttributeHandler token instead and the next endpoint request then fails.

Describe the solution you'd like

Endpoints and Hilla should work with both CsrfTokenRequestAttributeHandler and XorCsrfTokenRequestAttributeHandler
@simasch simasch mentioned this issue Dec 1, 2022
Closed
@simasch
Copy link

simasch commented Dec 1, 2022

When will this be fixed as it blocks migrating Hilla apps to Spring Boot 3?

@Artur-
Copy link
Member Author

Artur- commented Dec 1, 2022

Hilla uses the old style csrf token so this should not block anything unless there is a bug

@simasch
Copy link

simasch commented Dec 1, 2022

@Artur- So this is not the cause for: vaadin/hilla#681

Artur- added a commit that referenced this issue Apr 3, 2023
@Artur-
fix: Use default XOR CSRF token mechanism in Spring
451b357 
The stateless configuration is copied from https://docs.spring.io/spring-security/reference/5.8/migration/servlet/exploits.html#_i_am_using_angularjs_or_another_javascript_framework

Fixes #14923
@Artur- Artur- mentioned this issue Apr 3, 2023
Merged
Artur- added a commit that referenced this issue Apr 3, 2023
@Artur-
fix: Use default XOR CSRF token mechanism in Spring
11d05b8 
The stateless configuration is copied from https://docs.spring.io/spring-security/reference/5.8/migration/servlet/exploits.html#_i_am_using_angularjs_or_another_javascript_framework

Fixes #14923
Artur- added a commit that referenced this issue Apr 3, 2023
@Artur-
fix: Use default XOR CSRF token mechanism in Spring (#16521)
3fd2745 
The stateless configuration is copied from https://docs.spring.io/spring-security/reference/5.8/migration/servlet/exploits.html#_i_am_using_angularjs_or_another_javascript_framework

Fixes #14923
@vaadin-bot
Copy link
Collaborator

This ticket/PR has been released with Vaadin 24.1.0.alpha3 and is also targeting the upcoming stable 24.1.0 version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Flow 24.0 prerelease version for Vaadin 24.1.0 Released with Vaadin 24.1.0.alpha3
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Use default XOR CSRF token mechanism in Spring vaadin/flow
3 participants
@Artur- @simasch @vaadin-bot