Skip to content

CSRF with Cookies not provided on Reactive web stack #7452

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
langrp opened this issue Sep 18, 2019 · 1 comment
Closed

CSRF with Cookies not provided on Reactive web stack #7452

langrp opened this issue Sep 18, 2019 · 1 comment
Labels
status: waiting-for-triage An issue we've not yet triaged

Comments

@langrp
Copy link

langrp commented Sep 18, 2019

Summary

CSRF cookies not set on reactive web stack for first response from the server. The same configuration running on servlet stack provides cookies.

Actual Behavior

Missing 'Set-Cookie' header in server response

Expected Behavior

Response header 'Set-Cookie' with CSRF token is expected

Configuration

@SpringBootApplication
public class DemoCsrfApplication {

	public static void main(String[] args) {
		SpringApplication.run(DemoCsrfApplication.class, args);
	}

}

@RestController
class HomeController {

	@GetMapping("/")
	public Map<String, String> getGreetings() {
		return Map.of("value", "Hello World");
	}

}

@Configuration
@EnableWebFluxSecurity
class AppSecurityConfig {

	@Bean
	public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
		http.authorizeExchange()
				.pathMatchers(HttpMethod.GET).permitAll()
				.anyExchange().authenticated()
				.and()
			.csrf()
				.csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse())
				.and()
			.httpBasic().and()
			.cors();
		return http.build();
	}
}

Test

@AutoConfigureWebTestClient
@ExtendWith( SpringExtension.class )
@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
class DemoCsrfApplicationTests {

	@Autowired
	private WebTestClient webClient;

	@Test
	void contextLoads() {

		this.webClient.get().uri("/")
				.exchange()
				.expectStatus().isOk()
				.expectHeader().exists("Set-Cookie");

	}

}

Version

Spring Boot 2.2.0.BUILD-SNAPSHOT
spring-security-web 5.2.0.RC1

Sample

Entirely code above
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Sep 18, 2019
@langrp
Copy link
Author

langrp commented Nov 4, 2019

Duplicate of 5766

@langrp langrp closed this as completed Nov 4, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: waiting-for-triage An issue we've not yet triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@spring-projects-issues @langrp