Closed
Description
Summary
We use multiple XML configuration for different realms. If CSRF is not disabled, the application startup fails beause of multiple registrations of requestDataValueProcessor bean.
Actual Behavior
see org.springframework.security.config.http.CsrfBeanDefinitionParser.parse()
boolean webmvcPresent = ClassUtils.isPresent(DISPATCHER_SERVLET_CLASS_NAME,
getClass().getClassLoader());
if (webmvcPresent) {
RootBeanDefinition beanDefinition = new RootBeanDefinition(
CsrfRequestDataValueProcessor.class);
BeanComponentDefinition componentDefinition = new BeanComponentDefinition(
beanDefinition, REQUEST_DATA_VALUE_PROCESSOR);
pc.registerBeanComponent(componentDefinition);
}
unconditionally registers bean
Expected Behavior
CsrfBeanDefinitionParser should check presence?
Version
version 5.1.3
Sample
This will not start
<bean id="errorAuthenticationEntryPoint"
class="org.springframework.security.web.authentication.Http403ForbiddenEntryPoint" />
<security:http name="securityRealmControl" pattern="/api/v1/control/**" entry-point-ref="errorAuthenticationEntryPoint">
<security:intercept-url pattern="/**" access="hasRole('OPERATOR')" />
</security:http>
<security:http name="securityRealmFlow" pattern="/api/v1/flow/**" entry-point-ref="errorAuthenticationEntryPoint">
<security:intercept-url pattern="/api/v1/flow/*/create" access="hasRole('USER')" />
</security:http>