spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard
verified publisher icon spring-projects

BREACH attack protection for CSRF tokens

Open sjohnr opened this issue 3 years ago • 1 comments

sjohnr avatar Jan 25 '22 18:01 sjohnr

@rwinch I have pushed a branch (draft 1) based on our discussion, and looking for general feedback on the approach. This draft uses functional hooks.

The next approach we could try would be to introduce a new interface. I don't have a good idea for what it would be called but let me know if you would like to see that approach next, or if you have another idea for the next branch.

sjohnr avatar Aug 11 '22 21:08 sjohnr

I think this is a good start. I agree with you that we should create specific interfaces. An interesting observation is that CsrfAuthenticationStrategy can reuse the logic for setting the CSRF on an attribute.

I think that the names you have used could be used as a valid interface names. RequestAttributeHandler and CsrfTokenRequestResolver (we might need to play with this a bit). We should have a single class implement both APIs since they are distinct jobs, but need to be coordinated.

rwinch avatar Aug 19 '22 16:08 rwinch

Replaced by gh-11731

sjohnr avatar Aug 23 '22 14:08 sjohnr