Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Use default XOR CSRF token mechanism in Spring #16521

Merged
merged 2 commits into from
Apr 3, 2023
Merged

fix: Use default XOR CSRF token mechanism in Spring #16521

merged 2 commits into from
Apr 3, 2023

Conversation

Artur-
Copy link
Member

@Artur- Artur- commented Apr 3, 2023

@Artur- Artur- requested a review from platosha April 3, 2023 14:12
@Artur- Artur- force-pushed the XorCsrfTokenRequestAttributeHandler branch from 11764ba to 11d05b8 Compare April 3, 2023 14:13
@github-actions
Copy link

github-actions bot commented Apr 3, 2023
edited
Loading

Test Results

   978 files     978 suites   1h 20m 48s ⏱️
6 165 tests 6 127 ✔️ 38 💤 0
6 416 runs  6 371 ✔️ 45 💤 0

Results for commit ab3136a.

♻️ This comment has been updated with latest results.

platosha
platosha reviewed Apr 3, 2023
View reviewed changes
...c/main/java/com/vaadin/flow/spring/security/stateless/VaadinStatelessSecurityConfigurer.java Outdated
@@ -98,7 +100,13 @@ public void init(H http) {
// session (double-submit cookie pattern)
CsrfTokenRepository csrfTokenRepository = CookieCsrfTokenRepository
.withHttpOnlyFalse();
XorCsrfTokenRequestAttributeHandler delegate = new XorCsrfTokenRequestAttributeHandler();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be nice to have a comment explaining why the handler is customized like this. Maybe linking this: https://docs.spring.io/spring-security/reference/5.8/migration/servlet/exploits.html#_i_am_using_angularjs_or_another_javascript_framework

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added

@Artur- Artur- enabled auto-merge (squash) April 3, 2023 15:39
@sonarqubecloud
Copy link

sonarqubecloud bot commented Apr 3, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@Artur- Artur- merged commit 3fd2745 into main Apr 3, 2023
@Artur- Artur- deleted the XorCsrfTokenRequestAttributeHandler branch April 3, 2023 15:50
@vaadin-bot
Copy link
Collaborator

This ticket/PR has been released with Vaadin 24.1.0.alpha3 and is also targeting the upcoming stable 24.1.0 version.

@Artur- Artur- mentioned this pull request Apr 21, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@platosha platosha platosha approved these changes

Assignees
No one assigned
Labels
prerelease version for Vaadin 24.1.0 Released with Vaadin 24.1.0.alpha3 +0.0.1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support XorCsrfTokenRequestAttributeHandler
3 participants
@Artur- @vaadin-bot @platosha