Spring Security Form POST hangs when CSRF Protection is enabled

Summary

I have a Spring Cloud Gateway application which uses Spring Security to provide CSRF protection. The gateway has a single webpage which sends POST requests to some service behind the gateway. When CSRF is disabled, everything works, both form and AJAX POST requests. But when CSRF is enabled, form POSTs hang and eventually time out.

This is somehow related to Spring Cloud Gateway, as the issue doesn't arise without it.

See the sample for steps to reproduce.

Actual Behavior

• AJAX POST is received by service
• Form POST hangs

Expected Behavior

• AJAX POST is received by service
• Form POST is received by service

Configuration

See sample

Version

5.2.1.RELEASE

Sample

https://github.com/SmithJosh/spring-security-8026

Comment From: rwinch

Thanks for the report and the excellent sample. The problem seems to happen because Spring Security's CsrfWebFilter reads ServerWebExchange.getFormData() before gateway is invoked.

The problem is more general in that if any WebFilter reads the form data the problem occurs. For example, the following WebFilter will cause the issue without Spring Security on the classpath:

import org.springframework.core.Ordered;
import org.springframework.core.annotation.Order;
import org.springframework.stereotype.Component;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;

@Component
@Order(Ordered.HIGHEST_PRECEDENCE)
public class ReadFormWebFilter implements WebFilter {
    @Override
    public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
        return exchange.getFormData()
            .flatMap(d -> Mono.justOrEmpty(d.getFirst("foo")))
            .then(chain.filter(exchange));
    }
}

I've included a complete example in a branch named nosecurity of my fork of your sample that demonstrates the issue is reproducible without Spring Security. I'd suggest you create a ticket in Spring Cloud Gateway.

Comment From: SmithJosh

Thanks for the help @rwinch!

Comment From: rwinch

@SmithJosh If you create another issue, can you please link it to here for others to find?

Comment From: SmithJosh

Sure, here's a link to the gateway issue: https://github.com/spring-cloud/spring-cloud-gateway/issues/1587

Comment From: tianshuang

Is this problem solved now?

Comment From: rwinch

This was not a bug in Spring Security. Please refer to the Spring Cloud issue for updates