Skip to content

Restore Servlet 5 Compatiblity for CookieCsrfTokenRepository #16173

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
acutus opened this issue Nov 26, 2024 · 2 comments
Closed

Restore Servlet 5 Compatiblity for CookieCsrfTokenRepository #16173

acutus opened this issue Nov 26, 2024 · 2 comments
Assignees
@jzheaux
Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug

Comments

@acutus
Copy link

acutus commented Nov 26, 2024

Describe the bug

It seems this fix (#14131) might have broken backwards compatibility with jakarta servlet 5, as it uses the new Cookie#setAttribute()-method.

When using a CookieCustomizer to set SameSite-attribute, upgrading to spring-security-web:6.1.9 causes the error below. Downgrading back to spring-security-web:6.1.5 fixes the issue.

2024-11-26 16:24:18 java.lang.NoSuchMethodError: 'void jakarta.servlet.http.Cookie.setAttribute(java.lang.String, java.lang.String)'
2024-11-26 16:24:18     at org.springframework.security.web.csrf.CookieCsrfTokenRepository.mapToCookie(CookieCsrfTokenRepository.java:200)

To Reproduce
Upgrade to spring security version 6.1.9

Expected behavior
I would expect CookieCsrfTokenRepository() to work in the same manner between 6.1.5 and 6.1.9

Sample
Example of how the tokenRepo is initialized below:

val tokenRepo = CookieCsrfTokenRepository()
tokenRepo.setCookieCustomizer { cookie ->
     cookie.sameSite("lax")
}
@acutus acutus added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Nov 26, 2024
@acutus acutus mentioned this issue Nov 26, 2024
Closed
@jzheaux jzheaux self-assigned this Dec 5, 2024
@jzheaux jzheaux added in: web An issue in web modules (web, webmvc) and removed status: waiting-for-triage An issue we've not yet triaged labels Dec 5, 2024
@jzheaux jzheaux mentioned this issue Dec 5, 2024
Closed
@jzheaux jzheaux closed this as completed in 96a9cf0 Dec 5, 2024
@jzheaux
Copy link
Contributor

jzheaux commented Dec 5, 2024

Thanks @acutus for reaching out. I'm pushed a fix to 6.2.x, 6.3.x, and main (6.4.x). Can you check the next SNAPSHOT available build and see if it addresses your issue?

@jzheaux jzheaux added this to the 6.2.9 milestone Dec 5, 2024
@jzheaux jzheaux changed the title CookieCsrfTokenRepository uses Cookie#setAttribute() which breaks compatibility with Servlet API 5 Restore Servlet 5 Compatiblity for CookieCsrfTokenRepository Dec 5, 2024
@acutus
Copy link
Author

acutus commented Mar 6, 2025

Can confirm that this works now in 6.3.7, thank you @jzheaux

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: web An issue in web modules (web, webmvc) type: bug A general bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@acutus @jzheaux