Spring CSRF token not available to FreeMarker templates

Hi Team!

After upgrading to SpringBoot 3 a freemarker form no longer renders because the _csrf attribute is null.

Sample app (technically it's not rendering _csrf in a form, but it's the same problem): https://github.com/ardetrick/springboot3-freemarker-csrf-issue

There is a work-around where setting spring.freemarker.expose-request-attributes=true resolves the issue, however, this does not seem like the correct fix.

I recognize that there have been a few changes to Spring Security and CSRF as part of upgrading Spring Security from 5 to 6, however, the spring security team does not believe this issue is related. https://github.com/spring-projects/spring-security/issues/12462#issuecomment-1373957266.

In addition, at least one other person has also noted this issue: https://github.com/spring-projects/spring-security/issues/12462#issuecomment-1373911441.

Thanks for the help!

Comment From: petenattress

Thanks for raising this @ardetrick. I agree the workaround isn't ideal (and for me it has caused another issue where redirects now attempt to add duplicate attributes to the model) but at least it demonstrates the underlying cause.

PS for the benefit of the Spring Boot team, I believe this is the change which caused the regression.

Comment From: wilkinsona

Thanks, both. I agree, the behavior appears to be due to changes to the buildTemplateModel of Spring Framework's FreeMarkerView that were made as part of https://github.com/spring-projects/spring-framework/commit/d84ca2ba90d27a7c63d7b35a6259b5b9cf341118.

In Spring Framework 5.3.x, that model is an AllHttpScopesHashModel but in 6.0.x it's a SimpleHash. Interestingly, a comment states that it will "expose all standard FreeMarker hash models" which is no longer the case. We'll transfer this issue to the Framework team for further investigation.

Comment From: jhoeller

Revised to expose a custom RequestHashModel now, adding a request attribute fallback. This aligns with the way Servlet resource views such as JSPs work, without over-exposing everything from an AllHttpScopesHashModel as before.