Skip to content

CookieCsrfTokenRepository overwrites previous Set-Cookie response headers #13075

Closed
@mraible

Description

@mraible

Describe the bug

With Spring Boot 3.0.5, I have the following Security Configuration and CSRF works as expected.

package com.okta.developer.jugtours.config;

import com.okta.developer.jugtours.web.CookieCsrfFilter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler;

@Configuration
public class SecurityConfiguration {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests((authz) -> authz
                .requestMatchers("/", "/api/user").permitAll()
                .anyRequest().authenticated()
            );

        http.oauth2Login();
        http.oauth2ResourceServer().jwt();

        http.csrf()
            .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
            .csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler());
        http.addFilterAfter(new CookieCsrfFilter(), BasicAuthenticationFilter.class);

        return http.build();
    }
}

If I upgrade to 3.1.0-RC1, it seems that CSRF causes issues, and I'm unable to login and see any endpoints (e.g. /api/groups) that are secured. It results in an endless redirect that eventually results in rate-limiting errors (from Auth0, in my case).

To Reproduce

Here's a repo that you can reproduce the problem with: https://github.com/oktadev/auth0-spring-boot-angular-crud-example

Instructions to reproduce:

  1. Clone the repo above.

     git clone https://github.com/oktadev/auth0-spring-boot-angular-crud-example
    
  2. Install the Auth0 CLI and run auth0 login in a terminal. Then, run auth0 apps create:

     auth0 apps create \
       --name "Spring Boot 3.1" \
       --description "So Bootiful" \
       --type regular \
       --callbacks http://localhost:8080/login/oauth2/code/okta \
       --logout-urls http://localhost:8080 \
       --reveal-secrets
    
  3. Copy the results from the CLI into an okta.env file:

     export OKTA_OAUTH2_ISSUER=https://<your-auth0-domain>/
     export OKTA_OAUTH2_CLIENT_ID=<your-client-id>
     export OKTA_OAUTH2_CLIENT_SECRET=<your-client-secret>
     export OKTA_OAUTH2_AUDIENCE=https://<your-auth0-domain>/api/v2/
    
  4. Start the app and log in:

     source okta.env
     mvn spring-boot:run
    

You'll get an infinite redirect when you try to hit http://localhost:8080/api/groups. If you disable CSRF, it will work. Also, if you modify pom.xml to use Spring Boot version 3.0.5, everything will work without disabling CSRF.

Expected behavior

Everything should work just fine with Spring Boot 3.1, as it does with Spring Boot 3.0.5.

Sample

https://github.com/oktadev/auth0-spring-boot-angular-crud-example

Metadata

Metadata

Assignees

Labels

in: webAn issue in web modules (web, webmvc)type: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions