Spring Security CookieCsrfTokenRepository overwrites previous Set-Cookie response headers

Describe the bug

With Spring Boot 3.0.5, I have the following Security Configuration and CSRF works as expected.

package com.okta.developer.jugtours.config;

import com.okta.developer.jugtours.web.CookieCsrfFilter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler;

@Configuration
public class SecurityConfiguration {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests((authz) -> authz
                .requestMatchers("/", "/api/user").permitAll()
                .anyRequest().authenticated()
            );

        http.oauth2Login();
        http.oauth2ResourceServer().jwt();

        http.csrf()
            .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
            .csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler());
        http.addFilterAfter(new CookieCsrfFilter(), BasicAuthenticationFilter.class);

        return http.build();
    }
}

If I upgrade to 3.1.0-RC1, it seems that CSRF causes issues, and I'm unable to login and see any endpoints (e.g. /api/groups) that are secured. It results in an endless redirect that eventually results in rate-limiting errors (from Auth0, in my case).

To Reproduce

Here's a repo that you can reproduce the problem with: https://github.com/oktadev/auth0-spring-boot-angular-crud-example

Instructions to reproduce:

1. Clone the repo above.

   git clone https://github.com/oktadev/auth0-spring-boot-angular-crud-example
   

2. Install the Auth0 CLI and run auth0 login in a terminal. Then, run auth0 apps create:

   auth0 apps create \
     --name "Spring Boot 3.1" \
     --description "So Bootiful" \
     --type regular \
     --callbacks http://localhost:8080/login/oauth2/code/okta \
     --logout-urls http://localhost:8080 \
     --reveal-secrets
   

3. Copy the results from the CLI into an okta.env file:

   export OKTA_OAUTH2_ISSUER=https://<your-auth0-domain>/
   export OKTA_OAUTH2_CLIENT_ID=<your-client-id>
   export OKTA_OAUTH2_CLIENT_SECRET=<your-client-secret>
   export OKTA_OAUTH2_AUDIENCE=https://<your-auth0-domain>/api/v2/
   

4. Start the app and log in:

   source okta.env
   mvn spring-boot:run
   

You'll get an infinite redirect when you try to hit http://localhost:8080/api/groups. If you disable CSRF, it will work. Also, if you modify pom.xml to use Spring Boot version 3.0.5, everything will work without disabling CSRF.

Expected behavior

Everything should work just fine with Spring Boot 3.1, as it does with Spring Boot 3.0.5.

Sample

https://github.com/oktadev/auth0-spring-boot-angular-crud-example

Comment From: sjohnr

@mraible thanks for the report!

I have debugged this with the help of @marcusdacoregio and found that the CookieCsrfTokenRepository is overwriting the Set-Cookie header with b79ba89eeb2219fb504a5050cd4a26cf09942f06.

Since both the JSESSIONID and XSRF-TOKEN cookies are rotated on successful login, subsequent requests (after login) are not using the correct session id, which causes those requests to be unauthenticated (anonymous).

I'll update the title of this issue to be specific to the problem and add a fix. Thanks again!

Comment From: mraible

@sjohnr I tried testing this with Spring Boot 3.1.0-SNAPSHOT today, but it still seems to pull in Spring Security 6.0.2. Is there an easy way to tell Maven to use Spring Security 6.1.0-SNAPSHOT?

Also, I saw the following deprecation errors when building.

[WARNING] /Users/mraible/.../SecurityConfiguration.java:[23,13] oauth2Login() in org.springframework.security.config.annotation.web.builders.HttpSecurity has been deprecated and marked for removal
[WARNING] /Users/mraible/.../SecurityConfiguration.java:[24,13] oauth2ResourceServer() in org.springframework.security.config.annotation.web.builders.HttpSecurity has been deprecated and marked for removal
[WARNING] /Users/mraible/.../SecurityConfiguration.java:[24,36] jwt() in org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer has been deprecated and marked for removal
[WARNING] /Users/mraible/.../SecurityConfiguration.java:[26,13] csrf() in org.springframework.security.config.annotation.web.builders.HttpSecurity has been deprecated and marked for removal

However, when I dig into the source code, I don't see the methods as deprecated.

Comment From: marcusdacoregio

Hi @mraible,

I think that Spring Boot snapshots are not using Spring Security snapshots, see https://github.com/spring-projects/spring-boot/blob/9a0b5e01789495b87c5a11bc9b9d6af5d92a8e08/spring-boot-project/spring-boot-dependencies/build.gradle#L1471.

but it still seems to pull in Spring Security 6.0.2. Maybe you have to force refresh your dependencies?

You can override the Spring Security version by adding a property to your pom.xml file:

<properties>
  <spring-security.version>6.1.0-SNAPSHOT</spring-security.version>
</properties>

Comment From: mraible

@marcusdacoregio Thank you! Adding the spring-security.version solves the problem.

I'm still curious about the deprecation warnings.

Comment From: marcusdacoregio

Sorry, I haven't noticed the line about the deprecations.

You can have more detail about the deprecations on this issue https://github.com/spring-projects/spring-security/issues/12629 and in the 6.1.0-SNAPSHOT documentation.

Comment From: mraible

Thanks @marcusdacoregio! I was able to solve the deprecation warnings by changing from this:

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http.authorizeHttpRequests((authz) -> authz
        .requestMatchers("/", "/index.html", "*.ico", "*.css", "*.js", "/api/user").permitAll()
        .anyRequest().authenticated()
    );

    http.oauth2Login();
    http.oauth2ResourceServer().jwt();

    http.csrf()
        .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
        .csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler());
    http.addFilterAfter(new CookieCsrfFilter(), BasicAuthenticationFilter.class);

    http.addFilterAfter(new SpaWebFilter(), BasicAuthenticationFilter.class);

    return http.build();
}

To this:

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http.authorizeHttpRequests((authz) -> authz
            .requestMatchers("/", "/index.html", "*.ico", "*.css", "*.js", "/api/user").permitAll()
            .anyRequest().authenticated())
        .oauth2Login(withDefaults())
        .oauth2ResourceServer((oauth2) -> oauth2.jwt(withDefaults()))
        .csrf((csrf) -> csrf
            .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
            .csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler()))
        .addFilterAfter(new CookieCsrfFilter(), BasicAuthenticationFilter.class)
        .addFilterAfter(new SpaWebFilter(), BasicAuthenticationFilter.class);

    return http.build();
}