Spring (Spring Boot) 如何向前端提供 CSRF 令牌?

I am trying to add CSRF protection to a project which is based on Spring-Boot (particularly WebFlux).


What I have tried so far is below security configuration.

public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {

            new NegatedServerWebExchangeMatcher(
                new OrServerWebExchangeMatcher(
                        ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, FORM_LOGIN_URL),
                            .pathMatchers(HttpMethod.GET, PERMISSION_ENDPOINT)
        .accessDeniedHandler(new CustomHttpStatusServerAccessDeniedHandler(HttpStatus.FORBIDDEN))

    return http.build();

But when I tried above configuration, I could not see anything related to a CSRF token being pushed from server to browser. Is it not by default being pushed to clients? If so what would be the cleaner way to provide CSRF token to client (browser)? In which spring document this is mentioned. (I followed this one -> https://docs.spring.io/spring-security/site/docs/3.2.0.CI-SNAPSHOT/reference/html/csrf.html)


P.S. (hoping these following information are of any use for an answer)

  • My login form is not being served by Spring Boot Webflux application. It is served by a angular application running on a different domain (different IP & Port). That is why I have a FORM_LOGIN_URL constant in above configuration, which is used as .loginPage(FORM_LOGIN_URL). I have customized the .authenticationSuccessHandler() to redirect to PERMISSION_ENDPOINT which worked as intended up until.

This part is a bit poorly documented, but apparently the csrf-token wont be saved unless you subscribe to the result.

public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {

   final CookieServerCsrfTokenRepository cookieServerCsrfTokenRepository = new CookieServerCsrfTokenRepository();



// Add a tiny webfilter that just subscribes
public WebFilter addCsrfToken() {
    return (exchange, next) -> exchange.<Mono<CsrfToken>>getAttribute(CsrfToken.class.getName())
                .doOnSuccess(token -> {}) // do nothing, just subscribe :/

the above solution works well if you are using functional endpoints. You can also use a @ControllerAdvice approach.

public class SecurityControllerAdvice {@ModelAttribute Mono<CsrfToken> csrfToken(ServerWebExchange exchange) {
        Mono<CsrfToken> csrfToken = exchange.getAttribute(CsrfToken.class.getName());
        return csrfToken.doOnSuccess(token -> exchange.getAttributes()
                .put(CsrfRequestDataValueProcessor.DEFAULT_CSRF_ATTR_NAME, token));

There is an open bug report for this on github

CookieServerCsrfTokenRepository 不添加 cookie