Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CsrfAuthenticationStrategy does not check for existing token #12236

Closed
sjohnr opened this issue Nov 17, 2022 · 0 comments
Closed

CsrfAuthenticationStrategy does not check for existing token #12236

sjohnr opened this issue Nov 17, 2022 · 0 comments
Assignees
@sjohnr
Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Milestone
5.8.0

Comments

@sjohnr
Copy link
Member

sjohnr commented Nov 17, 2022
edited
Loading

Describe the bug
CsrfAuthenticationStrategy does not check for an existing token and always saves a null token when called. When used with CookieCsrfTokenRepository, this results in three Set-Cookie headers in the response. For example:

http :8080/login -a user:password

produces a response like:

HTTP/1.1 200 
Set-Cookie: XSRF-TOKEN=e97cdf5e-0dbc-45d3-8720-d2731023c3fa; Path=/
Set-Cookie: XSRF-TOKEN=; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: XSRF-TOKEN=0dec2144-d4e6-479e-8c56-e70e61423cb6; Path=/
...

Note: The fix for gh-12141 addressed a related problem, originally discussed in gh-12094.

To Reproduce
See sample.

  1. http :8080/login -a user:password
  2. Observe that POST /login contains three Set-Cookie headers for XSRF-TOKEN.

Expected behavior
Because the request did not contain an XSRF-TOKEN cookie, only a single Set-Cookie header containing the generated token should be returned in the response.

Sample

Spring Security Version: 5.8.0-SNAPSHOT (after 6b0ed02).

@SpringBootApplication
public class DemoApplication {

	public static void main(String[] args) {
		SpringApplication.run(DemoApplication.class, args);
	}

}
@Configuration
@EnableWebSecurity
public class SecurityConfig {

	@Bean
	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
		// @formatter:off
		http
			.authorizeHttpRequests((authorize) -> authorize
				.anyRequest().authenticated()
			)
			.csrf((csrf) -> csrf
				.csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
			)
			.httpBasic(Customizer.withDefaults());
		// @formatter:on
		return http.build();
	}

	@Bean 
	public UserDetailsService userDetailsService() {
		// @formatter:off
		UserDetails userDetails = User.withDefaultPasswordEncoder()
				.username("user")
				.password("password")
				.roles("USER")
				.build();
		// @formatter:on
		return new InMemoryUserDetailsManager(userDetails);
	}

}
@sjohnr sjohnr added in: web An issue in web modules (web, webmvc) type: bug A general bug labels Nov 17, 2022
@sjohnr sjohnr added this to the 5.8.0 milestone Nov 17, 2022
@sjohnr sjohnr self-assigned this Nov 17, 2022
@sjohnr sjohnr mentioned this issue Nov 18, 2022
Closed
sjohnr added a commit that referenced this issue Nov 18, 2022
@sjohnr
Add configurer tests for CookieCsrfTokenRepository
ea6ce05 
Issue gh-12236
@sjohnr sjohnr closed this as completed in 2ed7cff Nov 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sjohnr sjohnr

Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Projects
None yet
Milestone
5.8.0
Development

No branches or pull requests
1 participant
@sjohnr