SEC-2276: Delay saving CsrfToken until token is accessed

This also removed the CsrfToken from the response headers to prevent the token from being saved. If user's wish to return the CsrfToken in the response headers, they should use the CsrfToken found on the request.

Author: rwinch

config/src/test/groovy/org/springframework/security/config/annotation/BaseSpringSpec.groovy

@@ -36,6 +36,7 @@ import org.springframework.security.web.access.intercept.FilterSecurityIntercept
 import org.springframework.security.web.context.HttpRequestResponseHolder
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository
 import org.springframework.security.web.csrf.CsrfToken
+import org.springframework.security.web.csrf.DefaultCsrfToken;
 import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository
 
 import spock.lang.AutoCleanup
@@ -69,7 +70,7 @@ abstract class BaseSpringSpec extends Specification {
  }
 
  def setupCsrf(csrfTokenValue="BaseSpringSpec_CSRFTOKEN") {
- csrfToken = new CsrfToken("X-CSRF-TOKEN","_csrf",csrfTokenValue)
+ csrfToken = new DefaultCsrfToken("X-CSRF-TOKEN","_csrf",csrfTokenValue)
  new HttpSessionCsrfTokenRepository().saveToken(csrfToken, request,response)
  request.setParameter(csrfToken.parameterName, csrfToken.token)
  }

config/src/test/groovy/org/springframework/security/config/annotation/web/WebSecurityConfigurerAdapterTests.groovy

@@ -79,8 +79,7 @@ class WebSecurityConfigurerAdapterTests extends BaseSpringSpec {
  'Strict-Transport-Security': 'max-age=31536000 ; includeSubDomains',
  'Cache-Control': 'no-cache,no-store,max-age=0,must-revalidate',
  'Pragma':'no-cache',
- 'X-XSS-Protection' : '1; mode=block',
- 'X-CSRF-TOKEN' : csrfToken.token]
+ 'X-XSS-Protection' : '1; mode=block']
  }
 
  @EnableWebSecurity

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceHttpHeadersTests.groovy

@@ -49,8 +49,7 @@ public class NamespaceHttpHeadersTests extends BaseSpringSpec {
  'Strict-Transport-Security': 'max-age=31536000 ; includeSubDomains',
  'Cache-Control': 'no-cache,no-store,max-age=0,must-revalidate',
  'Pragma':'no-cache',
- 'X-XSS-Protection' : '1; mode=block',
- 'X-CSRF-TOKEN' : csrfToken.token]
+ 'X-XSS-Protection' : '1; mode=block']
  }
 
  @Configuration
@@ -70,8 +69,7 @@ public class NamespaceHttpHeadersTests extends BaseSpringSpec {
  springSecurityFilterChain.doFilter(request,response,chain)
  then:
  responseHeaders == ['Cache-Control': 'no-cache,no-store,max-age=0,must-revalidate',
- 'Pragma':'no-cache',
- 'X-CSRF-TOKEN' : csrfToken.token]
+ 'Pragma':'no-cache']
  }
 
  @Configuration
@@ -91,8 +89,7 @@ public class NamespaceHttpHeadersTests extends BaseSpringSpec {
  when:
  springSecurityFilterChain.doFilter(request,response,chain)
  then:
- responseHeaders == ['Strict-Transport-Security': 'max-age=31536000 ; includeSubDomains',
- 'X-CSRF-TOKEN' : csrfToken.token]
+ responseHeaders == ['Strict-Transport-Security': 'max-age=31536000 ; includeSubDomains']
  }
 
  @Configuration
@@ -111,8 +108,7 @@ public class NamespaceHttpHeadersTests extends BaseSpringSpec {
  when:
  springSecurityFilterChain.doFilter(request,response,chain)
  then:
- responseHeaders == ['Strict-Transport-Security': 'max-age=15768000',
- 'X-CSRF-TOKEN' : csrfToken.token]
+ responseHeaders == ['Strict-Transport-Security': 'max-age=15768000']
  }
 
  @Configuration
@@ -133,8 +129,7 @@ public class NamespaceHttpHeadersTests extends BaseSpringSpec {
  when:
  springSecurityFilterChain.doFilter(request,response,chain)
  then:
- responseHeaders == ['X-Frame-Options': 'SAMEORIGIN',
- 'X-CSRF-TOKEN' : csrfToken.token]
+ responseHeaders == ['X-Frame-Options': 'SAMEORIGIN']
  }
 
  @Configuration
@@ -156,8 +151,7 @@ public class NamespaceHttpHeadersTests extends BaseSpringSpec {
  when:
  springSecurityFilterChain.doFilter(request,response,chain)
  then:
- responseHeaders == ['X-Frame-Options': 'ALLOW-FROM https://example.com',
- 'X-CSRF-TOKEN' : csrfToken.token]
+ responseHeaders == ['X-Frame-Options': 'ALLOW-FROM https://example.com']
  }
 
 
@@ -178,8 +172,7 @@ public class NamespaceHttpHeadersTests extends BaseSpringSpec {
  when:
  springSecurityFilterChain.doFilter(request,response,chain)
  then:
- responseHeaders == ['X-XSS-Protection': '1; mode=block',
- 'X-CSRF-TOKEN' : csrfToken.token]
+ responseHeaders == ['X-XSS-Protection': '1; mode=block']
  }
 
  @Configuration
@@ -199,8 +192,7 @@ public class NamespaceHttpHeadersTests extends BaseSpringSpec {
  when:
  springSecurityFilterChain.doFilter(request,response,chain)
  then:
- responseHeaders == ['X-XSS-Protection': '1',
- 'X-CSRF-TOKEN' : csrfToken.token]
+ responseHeaders == ['X-XSS-Protection': '1']
  }
 
  @Configuration
@@ -220,8 +212,7 @@ public class NamespaceHttpHeadersTests extends BaseSpringSpec {
  when:
  springSecurityFilterChain.doFilter(request,response,chain)
  then:
- responseHeaders == ['X-Content-Type-Options': 'nosniff',
- 'X-CSRF-TOKEN' : csrfToken.token]
+ responseHeaders == ['X-Content-Type-Options': 'nosniff']
  }
 
  @Configuration
@@ -243,8 +234,7 @@ public class NamespaceHttpHeadersTests extends BaseSpringSpec {
  when:
  springSecurityFilterChain.doFilter(request,response,chain)
  then:
- responseHeaders == ['customHeaderName': 'customHeaderValue',
- 'X-CSRF-TOKEN' : csrfToken.token]
+ responseHeaders == ['customHeaderName': 'customHeaderValue']
  }
 
  @Configuration

config/src/test/groovy/org/springframework/security/config/http/CsrfConfigTests.groovy

@@ -29,6 +29,7 @@ import org.springframework.security.web.access.AccessDeniedHandler;
 import org.springframework.security.web.csrf.CsrfFilter
 import org.springframework.security.web.csrf.CsrfToken;
 import org.springframework.security.web.csrf.CsrfTokenRepository;
+import org.springframework.security.web.csrf.DefaultCsrfToken;
 import org.springframework.security.web.servlet.support.csrf.CsrfRequestDataValueProcessor
 import org.springframework.security.web.util.RequestMatcher
 
@@ -113,7 +114,7 @@ class CsrfConfigTests extends AbstractHttpConfigTests {
  mockBean(CsrfTokenRepository,'repo')
  createAppContext()
  CsrfTokenRepository repo = appContext.getBean("repo",CsrfTokenRepository)
- CsrfToken token = new CsrfToken("X-CSRF-TOKEN","_csrf", "abc")
+ CsrfToken token = new DefaultCsrfToken("X-CSRF-TOKEN","_csrf", "abc")
  when(repo.loadToken(any(HttpServletRequest))).thenReturn(token)
  request.setParameter(token.parameterName,token.token)
  request.servletPath = "/some-url"
@@ -147,7 +148,7 @@ class CsrfConfigTests extends AbstractHttpConfigTests {
  mockBean(CsrfTokenRepository,'repo')
  createAppContext()
  CsrfTokenRepository repo = appContext.getBean("repo",CsrfTokenRepository)
- CsrfToken token = new CsrfToken("X-CSRF-TOKEN","_csrf", "abc")
+ CsrfToken token = new DefaultCsrfToken("X-CSRF-TOKEN","_csrf", "abc")
  when(repo.loadToken(any(HttpServletRequest))).thenReturn(token)
  request.setParameter(token.parameterName,token.token)
  request.servletPath = "/some-url"
@@ -200,7 +201,7 @@ class CsrfConfigTests extends AbstractHttpConfigTests {
  mockBean(CsrfTokenRepository,'repo')
  createAppContext()
  CsrfTokenRepository repo = appContext.getBean("repo",CsrfTokenRepository)
- CsrfToken token = new CsrfToken("X-CSRF-TOKEN","_csrf", "abc")
+ CsrfToken token = new DefaultCsrfToken("X-CSRF-TOKEN","_csrf", "abc")
  when(repo.loadToken(any(HttpServletRequest))).thenReturn(token)
  request.setParameter(token.parameterName,token.token)
  request.method = "POST"
@@ -223,7 +224,7 @@ class CsrfConfigTests extends AbstractHttpConfigTests {
  mockBean(CsrfTokenRepository,'repo')
  createAppContext()
  CsrfTokenRepository repo = appContext.getBean("repo",CsrfTokenRepository)
- CsrfToken token = new CsrfToken("X-CSRF-TOKEN","_csrf", "abc")
+ CsrfToken token = new DefaultCsrfToken("X-CSRF-TOKEN","_csrf", "abc")
  when(repo.loadToken(any(HttpServletRequest))).thenReturn(token)
  request.setParameter(token.parameterName,token.token)
  request.method = "POST"
@@ -244,7 +245,7 @@ class CsrfConfigTests extends AbstractHttpConfigTests {
  mockBean(CsrfTokenRepository,'repo')
  createAppContext()
  CsrfTokenRepository repo = appContext.getBean("repo",CsrfTokenRepository)
- CsrfToken token = new CsrfToken("X-CSRF-TOKEN","_csrf", "abc")
+ CsrfToken token = new DefaultCsrfToken("X-CSRF-TOKEN","_csrf", "abc")
  when(repo.loadToken(any(HttpServletRequest))).thenReturn(token)
  request.setParameter(token.parameterName,token.token)
  request.method = "POST"

config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerServlet31Tests.java

@@ -40,7 +40,6 @@
 import org.springframework.mock.web.MockFilterChain;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
-import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@@ -96,7 +95,9 @@ public void changeSessionIdDefaultsInServlet31Plus() throws Exception {
  request.setMethod("POST");
  request.setParameter("username", "user");
  request.setParameter("password", "password");
- CsrfToken token = new HttpSessionCsrfTokenRepository().generateAndSaveToken(request, response);
+ HttpSessionCsrfTokenRepository repository = new HttpSessionCsrfTokenRepository();
+ CsrfToken token = repository.generateToken(request);
+ repository.saveToken(token, request, response);
  request.setParameter(token.getParameterName(),token.getToken());
  when(ReflectionUtils.findMethod(HttpServletRequest.class, "changeSessionId")).thenReturn(method);
 

web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java

@@ -70,11 +70,11 @@ protected void doFilterInternal(HttpServletRequest request,
  throws ServletException, IOException {
  CsrfToken csrfToken = tokenRepository.loadToken(request);
  if(csrfToken == null) {
- csrfToken = tokenRepository.generateAndSaveToken(request, response);
+ CsrfToken generatedToken = tokenRepository.generateToken(request);
+ csrfToken = new SaveOnAccessCsrfToken(tokenRepository, request, response, generatedToken);
  }
  request.setAttribute(CsrfToken.class.getName(), csrfToken);
  request.setAttribute(csrfToken.getParameterName(), csrfToken);
- response.addHeader(csrfToken.getHeaderName(), csrfToken.getToken());
 
  if(!requireCsrfProtectionMatcher.matches(request)) {
  filterChain.doFilter(request, response);
@@ -128,7 +128,86 @@ public void setAccessDeniedHandler(AccessDeniedHandler accessDeniedHandler) {
  this.accessDeniedHandler = accessDeniedHandler;
  }
 
- private static class DefaultRequiresCsrfMatcher implements RequestMatcher {
+ @SuppressWarnings("serial")
+ private static final class SaveOnAccessCsrfToken implements CsrfToken {
+ private transient CsrfTokenRepository tokenRepository;
+ private transient HttpServletRequest request;
+ private transient HttpServletResponse response;
+
+ private final CsrfToken delegate;
+
+ public SaveOnAccessCsrfToken(CsrfTokenRepository tokenRepository,
+ HttpServletRequest request, HttpServletResponse response,
+ CsrfToken delegate) {
+ super();
+ this.tokenRepository = tokenRepository;
+ this.request = request;
+ this.response = response;
+ this.delegate = delegate;
+ }
+
+ public String getHeaderName() {
+ return delegate.getHeaderName();
+ }
+
+ public String getParameterName() {
+ return delegate.getParameterName();
+ }
+
+ public String getToken() {
+ saveTokenIfNecessary();
+ return delegate.getToken();
+ }
+
+ @Override
+ public String toString() {
+ return "SaveOnAccessCsrfToken [delegate=" + delegate + "]";
+ }
+
+ @Override
+ public int hashCode() {
+ final int prime = 31;
+ int result = 1;
+ result = prime * result
+ + ((delegate == null) ? 0 : delegate.hashCode());
+ return result;
+ }
+
+ @Override
+ public boolean equals(Object obj) {
+ if (this == obj)
+ return true;
+ if (obj == null)
+ return false;
+ if (getClass() != obj.getClass())
+ return false;
+ SaveOnAccessCsrfToken other = (SaveOnAccessCsrfToken) obj;
+ if (delegate == null) {
+ if (other.delegate != null)
+ return false;
+ } else if (!delegate.equals(other.delegate))
+ return false;
+ return true;
+ }
+
+ private void saveTokenIfNecessary() {
+ if(this.tokenRepository == null) {
+ return;
+ }
+
+ synchronized(this) {
+ if(tokenRepository != null) {
+ this.tokenRepository.saveToken(delegate, request, response);
+ this.tokenRepository = null;
+ this.request = null;
+ this.response = null;
+ }
+ }
+ }
+
+ }
+
+ private static final class DefaultRequiresCsrfMatcher implements RequestMatcher {
  private Pattern allowedMethods = Pattern.compile("^(GET|HEAD|TRACE|OPTIONS)$");
 
  /* (non-Javadoc)

web/src/main/java/org/springframework/security/web/csrf/CsrfToken.java

@@ -17,37 +17,16 @@
 
 import java.io.Serializable;
 
-import org.springframework.util.Assert;
-
 /**
- * A CSRF token that is used to protect against CSRF attacks.
+ * Provides the information about an expected CSRF token.
+ *
+ * @see DefaultCsrfToken
  *
  * @author Rob Winch
  * @since 3.2
+ *
  */
-@SuppressWarnings("serial")
-public final class CsrfToken implements Serializable {
-
- private final String token;
-
- private final String parameterName;
-
- private final String headerName;
-
- /**
- * Creates a new instance
- * @param headerName the HTTP header name to use
- * @param parameterName the HTTP parameter name to use
- * @param token the value of the token (i.e. expected value of the HTTP parameter of parametername).
- */
- public CsrfToken(String headerName, String parameterName, String token) {
- Assert.hasLength(headerName, "headerName cannot be null or empty");
- Assert.hasLength(parameterName, "parameterName cannot be null or empty");
- Assert.hasLength(token, "token cannot be null or empty");
- this.headerName = headerName;
- this.parameterName = parameterName;
- this.token = token;
- }
+public interface CsrfToken extends Serializable {
 
  /**
  * Gets the HTTP header that the CSRF is populated on the response and can
@@ -56,23 +35,18 @@ public CsrfToken(String headerName, String parameterName, String token) {
  * @return the HTTP header that the CSRF is populated on the response and
  * can be placed on requests instead of the parameter
  */
- public String getHeaderName() {
- return headerName;
- }
+ String getHeaderName();
 
  /**
  * Gets the HTTP parameter name that should contain the token. Cannot be null.
  * @return the HTTP parameter name that should contain the token.
  */
- public String getParameterName() {
- return parameterName;
- }
+ String getParameterName();
 
  /**
  * Gets the token value. Cannot be null.
  * @return the token value
  */
- public String getToken() {
- return token;
- }
-}
+ String getToken();
+
+}

web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRepository.java

@@ -33,17 +33,14 @@
 public interface CsrfTokenRepository {
 
  /**
- * Generates and saves the expected {@link CsrfToken}
+ * Generates a {@link CsrfToken}
  *
  * @param request
  * the {@link HttpServletRequest} to use
- * @param response
- * the {@link HttpServletResponse} to use
- * @return the {@link CsrfToken} that was generated and saved. Cannot be
+ * @return the {@link CsrfToken} that was generated. Cannot be
  * null.
  */
- CsrfToken generateAndSaveToken(HttpServletRequest request,
- HttpServletResponse response);
+ CsrfToken generateToken(HttpServletRequest request);
 
  /**
  * Saves the {@link CsrfToken} using the {@link HttpServletRequest} and