Skip to content

CSRF with Cookies not provided on Reactive web stack #7452

Closed
@langrp

Description

@langrp

Summary

CSRF cookies not set on reactive web stack for first response from the server. The same configuration running on servlet stack provides cookies.

Actual Behavior

Missing 'Set-Cookie' header in server response

Expected Behavior

Response header 'Set-Cookie' with CSRF token is expected

Configuration

@SpringBootApplication
public class DemoCsrfApplication {

	public static void main(String[] args) {
		SpringApplication.run(DemoCsrfApplication.class, args);
	}

}

@RestController
class HomeController {

	@GetMapping("/")
	public Map<String, String> getGreetings() {
		return Map.of("value", "Hello World");
	}

}

@Configuration
@EnableWebFluxSecurity
class AppSecurityConfig {

	@Bean
	public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
		http.authorizeExchange()
				.pathMatchers(HttpMethod.GET).permitAll()
				.anyExchange().authenticated()
				.and()
			.csrf()
				.csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse())
				.and()
			.httpBasic().and()
			.cors();
		return http.build();
	}
}

Test

@AutoConfigureWebTestClient
@ExtendWith( SpringExtension.class )
@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
class DemoCsrfApplicationTests {

	@Autowired
	private WebTestClient webClient;

	@Test
	void contextLoads() {

		this.webClient.get().uri("/")
				.exchange()
				.expectStatus().isOk()
				.expectHeader().exists("Set-Cookie");

	}

}

Version

Spring Boot 2.2.0.BUILD-SNAPSHOT
spring-security-web 5.2.0.RC1

Sample

Entirely code above

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions