Skip to content

Add WebFlux RequestDataValueProcessor #4762

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rwinch opened this issue Oct 31, 2017 · 3 comments
Closed

Add WebFlux RequestDataValueProcessor #4762

rwinch opened this issue Oct 31, 2017 · 3 comments
Assignees
@rwinch
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Milestone
5.0.0

Comments

@rwinch
Copy link
Member

rwinch commented Oct 31, 2017

Summary

We need to provide integration with WebFlux RequestDataValueProcessor
@rwinch rwinch added type: enhancement A general enhancement Reactive in: web An issue in web modules (web, webmvc) labels Oct 31, 2017
@rwinch rwinch added this to the 5.0.0 milestone Oct 31, 2017
@rwinch rwinch self-assigned this Oct 31, 2017
This was referenced Nov 8, 2017
Closed
Closed
@rwinch rwinch closed this as completed in 6760203 Nov 8, 2017
rwinch added a commit that referenced this issue Nov 8, 2017
@rwinch
EnableWebFluxSecurity creates CsrfRequestDataValueProcessor
adec62c 
Fixes gh-4762
thomasdarimont pushed a commit to thomasdarimont/spring-security that referenced this issue Apr 25, 2018
@rwinch @thomasdarimont
Add reactive CsrfRequestDataValueProcessor
1e82a8f 
Fixes spring-projectsgh-4762
thomasdarimont pushed a commit to thomasdarimont/spring-security that referenced this issue Apr 25, 2018
@rwinch @thomasdarimont
EnableWebFluxSecurity creates CsrfRequestDataValueProcessor
cb24f4c 
Fixes spring-projectsgh-4762
@danielfernandez
Copy link

Does this need any specific configuration steps besides @EnableWebFluxSecurity? Using 5.1.0.RC2, during view processing (and once authenticated), when executing org.springframework.security.web.reactive.result.view.CsrfRequestDataValueProcessor#getExtraHiddenFields(...) it tries to do this:

// DEFAULT_CSRF_ATTR_NAME == "_csrf"
CsrfToken token = exchange.getAttribute(DEFAULT_CSRF_ATTR_NAME);

...but there is nothing there. Instead, the only ServerWebExchange attribute that seems related is a Mono<CsrfToken> object, but with attribute name org.springframework.security.web.server.csrf.CsrfToken.

Am I missing anything? is it normal that the CSRF token is not at the _csrf exchange attribute during view execution, and instead only this (unresolved) Mono<CsrfToken> is there?

@rwinch
Copy link
Member Author

rwinch commented Sep 20, 2018

Unfortunately, at the moment, users must expose the CSRF token as a request attribute for it to be found. This is also true for the Authentication.

@ControllerAdvice
public class SecurityControllerAdvice {
	private Mono<Principal> currentUser;

	@ModelAttribute
	Mono<CsrfToken> csrfToken(ServerWebExchange exchange) {
		Mono<CsrfToken> csrfToken = exchange.getAttribute(CsrfToken.class.getName());
		if (csrfToken == null) {
			return Mono.empty();
		}
		return csrfToken.doOnSuccess(token -> exchange.getAttributes()
				.put(CsrfRequestDataValueProcessor.DEFAULT_CSRF_ATTR_NAME, token));
	}

	@ModelAttribute("currentUser")
	User currentUser(@CurrentUser User currentUser) {
		return currentUser;
	}
}

The reason is that we don't know if the user needs the CSRF token, so we cannot subscribe to the Mono<Csrf> on their behalf (which triggers it to be saved and thus a session created). We also cannot resolve a Mono<CsrfToken> in CsrfRequestDataValueProcessor because its methods arenot reactive types. The thought was that we cannot have a reactive type because the view (i.e. Thyemeleaf) would not be able to subscribe to it. Perhaps you have some ideas around this current limitation?

cc @rstoyanchev

@danielfernandez danielfernandez mentioned this issue Sep 20, 2018
Open
@danielfernandez
Copy link

Perhaps you have some ideas around this current limitation?

Please see my comment on #5867. Version 3.0.10 of thymeleaf and thymeleaf-spring5, in combination with version 3.0.3 of thymeleaf-extras-springsecurity5 should be able to resolve this Mono<CsrfToken> using the mechanism just developed for being able to resolve the Mono<SecurityContext> in a non-blocking manner. Note however that unfortunately this means the CsrfToken will be resolved for every template being rendered.

danielfernandez added a commit to thymeleaf/thymeleaf-extras-springsecurity that referenced this issue Sep 20, 2018
@danielfernandez
Added resolution of CsrfToken according to comments in spring-project…
e85f7af 
…s/spring-security#4762
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Projects
None yet
Milestone
5.0.0
Development

No branches or pull requests
2 participants
@rwinch @danielfernandez