|
2 | 2 |
|
3 | 3 | If you have already performed the xref:migration/index.adoc[initial migration steps] for your Reactive application, you're now ready to perform steps specific to Reactive applications. |
4 | 4 |
|
| 5 | +== Exploit Protection Migrations |
| 6 | + |
| 7 | +The following steps relate to changes around how to configure CSRF. |
| 8 | + |
| 9 | +=== Configure `tokenFromMultipartDataEnabled` |
| 10 | + |
| 11 | +In Spring Security 5.8, the method `tokenFromMultipartDataEnabled` was deprecated in favor of `ServerCsrfTokenRequestAttributeHandler#setTokenFromMultipartDataEnabled`. |
| 12 | + |
| 13 | +To address the deprecation, the following code: |
| 14 | + |
| 15 | +.Configure `tokenFromMultipartDataEnabled` with DSL |
| 16 | +==== |
| 17 | +.Java |
| 18 | +[source,java,role="primary"] |
| 19 | +---- |
| 20 | +@Bean |
| 21 | +SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) { |
| 22 | + http |
| 23 | + // ... |
| 24 | + .csrf((csrf) -> csrf |
| 25 | + .tokenFromMultipartDataEnabled(true) |
| 26 | + ); |
| 27 | + return http.build(); |
| 28 | +} |
| 29 | +---- |
| 30 | +
|
| 31 | +.Kotlin |
| 32 | +[source,kotlin,role="secondary"] |
| 33 | +---- |
| 34 | +@Bean |
| 35 | +open fun securityWebFilterChain(http: HttpSecurity): SecurityWebFilterChain { |
| 36 | + return http { |
| 37 | + // ... |
| 38 | + csrf { |
| 39 | + tokenFromMultipartDataEnabled = true |
| 40 | + } |
| 41 | + } |
| 42 | +} |
| 43 | +---- |
| 44 | +==== |
| 45 | + |
| 46 | +can be replaced with: |
| 47 | + |
| 48 | +.Configure `tokenFromMultipartDataEnabled` with `ServerCsrfTokenRequestAttributeHandler` |
| 49 | +==== |
| 50 | +.Java |
| 51 | +[source,java,role="primary"] |
| 52 | +---- |
| 53 | +@Bean |
| 54 | +SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) { |
| 55 | + ServerCsrfTokenRequestAttributeHandler requestHandler = new ServerCsrfTokenRequestAttributeHandler(); |
| 56 | + requestHandler.setTokenFromMultipartDataEnabled(true); |
| 57 | + http |
| 58 | + // ... |
| 59 | + .csrf((csrf) -> csrf |
| 60 | + .csrfTokenRequestHandler(requestHandler) |
| 61 | + ); |
| 62 | + return http.build(); |
| 63 | +} |
| 64 | +---- |
| 65 | +
|
| 66 | +.Kotlin |
| 67 | +[source,kotlin,role="secondary"] |
| 68 | +---- |
| 69 | +@Bean |
| 70 | +open fun securityWebFilterChain(http: HttpSecurity): SecurityWebFilterChain { |
| 71 | + val requestHandler = ServerCsrfTokenRequestAttributeHandler() |
| 72 | + requestHandler.tokenFromMultipartDataEnabled = true |
| 73 | + return http { |
| 74 | + // ... |
| 75 | + csrf { |
| 76 | + csrfTokenRequestHandler = requestHandler |
| 77 | + } |
| 78 | + } |
| 79 | +} |
| 80 | +---- |
| 81 | +==== |
| 82 | + |
5 | 83 | == Use `AuthorizationManager` for Method Security |
6 | 84 |
|
7 | 85 | xref:reactive/authorization/method.adoc[Method Security] has been xref:reactive/authorization/method.adoc#jc-enable-reactive-method-security-authorization-manager[improved] through {security-api-url}org/springframework/security/authorization/AuthorizationManager.html[the `AuthorizationManager` API] and direct use of Spring AOP. |
|
0 commit comments