Spring Security Blocking in WebSessionServerCsrfTokenRepository

Summary

Detected by blockhound: WebSessionServerCsrfTokenRepository and CookieServerCsrfTokenRepository make blocking calls to UUID.randomUUID when generating the token.

It would be nice to have a non-blocking SecureRandom to solve this. It can of course be offloaded to the boundedElastic scheduler but that looks sub optimal.

https://github.com/spring-projects/spring-security/blob/747d8817cbadc307f7407c26fc88b2ff63c37149/web/src/main/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepository.java#L112

Version

5.2.2.RELEASE

Comment From: rwinch

Thanks for the report @cbornet!

I'm not aware of a non-blocking secure random source. Are you? If we don't have a non-blocking secure random source then I agree our best bet is to use the boundedElastic.

Would you be interested in submitting a PR?

Comment From: cbornet

I'm not aware of a non-blocking secure random source. Are you?

No, I'm not either. I guess even reading /dev/random with NIO is still offloading to a thread-pool. Would be nice to have it in Java one day though.

I'll do the PR for boundedElastic, no problem

Comment From: cbornet

I want to put a publishOn in generateToken but I don't find a good place I coud do

    @Override
    public Mono<CsrfToken> generateToken(ServerWebExchange exchange) {
        return Mono.just(exchange)
            .publishOn(Schedulers.boundedElastic())
            .fromCallable(() -> createCsrfToken());
    }

but maybe there's a better way without wrapping exchange (which is not used) ?

Comment From: rwinch

That looks correct to me.

Comment From: rwinch

@cbornet Are you still interested in submitting this?

Comment From: cbornet

Yes. Sorry I've been quite busy. I'll do it this week.