SpringBoot CSRF behavior is different between 3.0.5 and 3.1.0

With Spring Boot 3.0.5, I have the following Security Configuration and CSRF works as expected.

package com.okta.developer.jugtours.config;

import com.okta.developer.jugtours.web.CookieCsrfFilter;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
import org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler;

@Configuration
public class SecurityConfiguration {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests((authz) -> authz
                .requestMatchers("/", "/api/user").permitAll()
                .anyRequest().authenticated()
            );

        http.oauth2Login();
        http.oauth2ResourceServer().jwt();

        http.csrf()
            .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
            .csrfTokenRequestHandler(new CsrfTokenRequestAttributeHandler());
        http.addFilterAfter(new CookieCsrfFilter(), BasicAuthenticationFilter.class);

        return http.build();
    }
}

If I upgrade to 3.1.0-RC1, it seems that CSRF causes issues and I'm unable to login and see any endpoints (e.g. /api/groups) that are secured. It results in an endless redirect that eventually results in rate-limiting errors (from Auth0, in my case).

Here's a repo that you can reproduce the problem with: https://github.com/oktadev/auth0-spring-boot-angular-crud-example

Instructions to reproduce:

1. Clone the repo above.

   git clone https://github.com/oktadev/auth0-spring-boot-angular-crud-example
   

2. Install the Auth0 CLI and run auth0 login in a terminal. Then, run auth0 apps create:

   auth0 apps create \
     --name "Spring Boot 3.1" \
     --description "So Bootiful" \
     --type regular \
     --callbacks http://localhost:8080/login/oauth2/code/okta \
     --logout-urls http://localhost:8080 \
     --reveal-secrets
   

3. Copy the results from the CLI into an okta.env file:

   export OKTA_OAUTH2_ISSUER=https://<your-auth0-domain>/
   export OKTA_OAUTH2_CLIENT_ID=<your-client-id>
   export OKTA_OAUTH2_CLIENT_SECRET=<your-client-secret>
   export OKTA_OAUTH2_AUDIENCE=https://<your-auth0-domain>/api/v2/
   

4. Start the app and log in:

   source okta.env
   mvn spring-boot:run
   

You'll get an infinite redirect when you try to hit http://localhost:8080/api/groups. If you disable CSRF, it will work. Also, if you modify pom.xml to use Spring Boot version 3.0.5, everything will work without disabling CSRF.

Comment From: wilkinsona

Thanks, Matt, but it's not clear to me why you have opened this against Spring Boot rather than Spring Security. If you have done some initial analysis that suggests Boot itself is the cause, can you please share that analysis? Otherwise, I think this should be reported to the Spring Security team.

Comment From: mraible

@wilkinsona I moved this issue to Spring Security's issue tracker. https://github.com/spring-projects/spring-security/issues/13075

I'll close this issue.