Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Restore Servlet 5 Compatiblity for CookieCsrfTokenRepository #16173

Closed
acutus opened this issue Nov 26, 2024 · 1 comment
Closed

Restore Servlet 5 Compatiblity for CookieCsrfTokenRepository #16173

acutus opened this issue Nov 26, 2024 · 1 comment
Assignees
@jzheaux
Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug

Comments

@acutus
Copy link

acutus commented Nov 26, 2024

Describe the bug

It seems this fix (#14131) might have broken backwards compatibility with jakarta servlet 5, as it uses the new Cookie#setAttribute()-method.

When using a CookieCustomizer to set SameSite-attribute, upgrading to spring-security-web:6.1.9 causes the error below. Downgrading back to spring-security-web:6.1.5 fixes the issue.

2024-11-26 16:24:18 java.lang.NoSuchMethodError: 'void jakarta.servlet.http.Cookie.setAttribute(java.lang.String, java.lang.String)'
2024-11-26 16:24:18     at org.springframework.security.web.csrf.CookieCsrfTokenRepository.mapToCookie(CookieCsrfTokenRepository.java:200)

To Reproduce
Upgrade to spring security version 6.1.9

Expected behavior
I would expect CookieCsrfTokenRepository() to work in the same manner between 6.1.5 and 6.1.9

Sample
Example of how the tokenRepo is initialized below:

val tokenRepo = CookieCsrfTokenRepository()
tokenRepo.setCookieCustomizer { cookie ->
     cookie.sameSite("lax")
}
@acutus acutus added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Nov 26, 2024
@acutus acutus mentioned this issue Nov 26, 2024
Closed
@jzheaux jzheaux self-assigned this Dec 5, 2024
@jzheaux jzheaux added in: web An issue in web modules (web, webmvc) and removed status: waiting-for-triage An issue we've not yet triaged labels Dec 5, 2024
@jzheaux jzheaux mentioned this issue Dec 5, 2024
Closed
@jzheaux jzheaux closed this as completed in 96a9cf0 Dec 5, 2024
@jzheaux
Copy link
Contributor

jzheaux commented Dec 5, 2024

Thanks @acutus for reaching out. I'm pushed a fix to 6.2.x, 6.3.x, and main (6.4.x). Can you check the next SNAPSHOT available build and see if it addresses your issue?

@jzheaux jzheaux added this to the 6.2.9 milestone Dec 5, 2024
@jzheaux jzheaux changed the title CookieCsrfTokenRepository uses Cookie#setAttribute() which breaks compatibility with Servlet API 5 Restore Servlet 5 Compatiblity for CookieCsrfTokenRepository Dec 5, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@jzheaux jzheaux

Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@acutus @jzheaux