Closed
Description
Summary
CSRF cookies not set on reactive web stack for first response from the server. The same configuration running on servlet stack provides cookies.
Actual Behavior
Missing 'Set-Cookie' header in server response
Expected Behavior
Response header 'Set-Cookie' with CSRF token is expected
Configuration
@SpringBootApplication
public class DemoCsrfApplication {
public static void main(String[] args) {
SpringApplication.run(DemoCsrfApplication.class, args);
}
}
@RestController
class HomeController {
@GetMapping("/")
public Map<String, String> getGreetings() {
return Map.of("value", "Hello World");
}
}
@Configuration
@EnableWebFluxSecurity
class AppSecurityConfig {
@Bean
public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
http.authorizeExchange()
.pathMatchers(HttpMethod.GET).permitAll()
.anyExchange().authenticated()
.and()
.csrf()
.csrfTokenRepository(CookieServerCsrfTokenRepository.withHttpOnlyFalse())
.and()
.httpBasic().and()
.cors();
return http.build();
}
}
Test
@AutoConfigureWebTestClient
@ExtendWith( SpringExtension.class )
@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
class DemoCsrfApplicationTests {
@Autowired
private WebTestClient webClient;
@Test
void contextLoads() {
this.webClient.get().uri("/")
.exchange()
.expectStatus().isOk()
.expectHeader().exists("Set-Cookie");
}
}
Version
Spring Boot 2.2.0.BUILD-SNAPSHOT
spring-security-web 5.2.0.RC1
Sample
Entirely code above