Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add the ability to set the SameSite policy to the CRSF Cookie #12109

Closed
wants to merge 8 commits into from
Closed

Add the ability to set the SameSite policy to the CRSF Cookie #12109

wants to merge 8 commits into from

Conversation

kumo829
Copy link
Contributor

@kumo829 kumo829 commented Oct 29, 2022

Add a new public method to the class org.springframework.security.web.csrf.CookieCsrfTokenRepository that allows setting the SameSite policy as an optional parameter; with this, when sending the CSRF token in a cookie instead of a header, no warning or error should be displayed in the browser's console.

Removes unnecessary default no-parameters empty constructor.

This could fix gh-12086

@kumo829
Add the ability to set the SameSite policy to the CRSF Cookie
b9cd4c3 
Add a new public method to the class org.springframework.security.web.csrf.CookieCsrfTokenRepository that allows setting the SameSite policy as an optional parameter; with this, when sending the CSRF token in a cookie instead of a header, no warning or error should be displayed in the browser's console.

Removes unnecessary default no-parameters empty constructor.

Fix gh-12086
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Oct 29, 2022
jzheaux
jzheaux requested changes Nov 15, 2022
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @kumo829, for the PR! I've left some feedback inline.

@jzheaux jzheaux self-assigned this Nov 15, 2022
@jzheaux jzheaux added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels Nov 15, 2022
@jzheaux jzheaux added this to the 6.1.0-M1 milestone Nov 15, 2022
@kumo829
- Remove un necessary new method to set same site policy.
777708d 
- Mark setCookieHttpOnly, setCookieDomain, setCookieMaxAge and setSecure as deprecated.
- Add the method addCookieInitializer which allows to set properties to the ResponseCookieBuilder without having to add new setter methods.
- Apply same changes to CookieServerCsrfTokenRepository.
- Add unit tests to validate the use of same site policy.
@kumo829
Merge branch 'main' into main
ad574a7
@kumo829
Copy link
Contributor Author

kumo829 commented Nov 15, 2022

Hi, @jzheaux; thanks for the comments. I made the requested changes. Please let me know if you consider any other changes required.

jzheaux
jzheaux requested changes Nov 15, 2022
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks again, @kumo829! I've left some additional feedback inline.

@kumo829
- Remove un necessary new method to set same site policy.
825aefb 
- Mark setCookieHttpOnly, setCookieDomain, setCookieMaxAge and setSecure as deprecated.
- Add the method setCookieCustomizer which allows to set properties to the ResponseCookieBuilder without having to add new setter methods.
- Apply same changes to CookieServerCsrfTokenRepository.
- Add unit tests to validate the use of same site policy.
@kumo829
- Remove un necessary new method to set same site policy.
62d1b40 
- Mark setCookieHttpOnly, setCookieDomain, setCookieMaxAge and setSecure as deprecated.
- Add the method setCookieCustomizer which allows to set properties to the ResponseCookieBuilder without having to add new setter methods.
- Apply same changes to CookieServerCsrfTokenRepository.
- Add unit tests to validate the use of same site policy.
@kumo829
- Junit 5 cleanup removing public modifier in tests and classes
1b0dbb0 
- Changes to use assertJ semantic methods as isTrue and isNull
@kumo829
Copy link
Contributor Author

kumo829 commented Nov 16, 2022

Hi @jzheaux, thanks for the comments and suggestions. I addressed them.

jzheaux
jzheaux requested changes Nov 17, 2022
View reviewed changes
Copy link
Contributor

@jzheaux jzheaux left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, @kumo829! I left two minor items for you inline.

In preparation for merging, will you please squash your commits into two; one for the feature and one for the Junit cleanup? In the feature commit, will you please format it to include the ticket like so:

Your Commit Title

Any additional description

Closes gh-12086

Doing it this way makes so that when the PR is merged, the ticket is automatically closed.

web/src/main/java/org/springframework/security/web/csrf/CookieCsrfTokenRepository.java
.httpOnly(this.cookieHttpOnly)
.domain(this.cookieDomain);

this.cookieCustomizer.accept(cookieBuilder);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The indentation looks off here. Would you mind adjusting it, please?

.../main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java
* @since 6.1
*/
public void setCookieCustomizer(Consumer<ResponseCookie.ResponseCookieBuilder> cookieCustomizer) {
this.cookieCustomizer = cookieCustomizer;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please check for null. You can use Assert.notNull(cookieCustomizer, "cookieCustomizer must not be null").

@kumo829
Add a customizer to CookieCsrfTokenRepository and CookieServerCsrfTok…
58f14e4 
…enRepository

- Mark setCookieHttpOnly, setCookieDomain, setCookieMaxAge and setSecure as deprecated.
- Add the method setCookieCustomizer which allows to set properties to the ResponseCookieBuilder without having to add new setter methods.

Closes gh-12086
@kumo829
Merge branch 'spring-projects:main' into main
2b6b0a0
@kumo829 kumo829 closed this by deleting the head repository Nov 18, 2022
@kumo829
Copy link
Contributor Author

kumo829 commented Nov 18, 2022

Hi @jzheaux, Sorry, made a real mess with the history when rebasing from old commits 🥲. Was easier to close this PR and create a new one with the changes. Hope that's OK: #12237

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jzheaux jzheaux jzheaux requested changes

Assignees

@jzheaux jzheaux

Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Projects
None yet
Milestone
6.1.0-M1
Development

Successfully merging this pull request may close these issues.

Add an option to set the SameSite policy in the CookieCsrfTokenRepository
3 participants
@kumo829 @jzheaux @spring-projects-issues