The release notes from the new version 1.3.1.0 of SpringBot.
Features
- No new features in this release.
Improvements
- Expand testing for CSRF tokens
- Update SpringBot to use standardised token and cookie names for CSRF
- Replace full custom CSRF cookie implementation with an implementation of the
CsrfTokenRepositoryprovided by Spring Boot. - By default production mode forces SSL, this can now be configured using the protected region called
Override strict HTTPS mode herein theSecurityConfig.javafile.
Resolved defects
- Fixed issue where no feedback was provided to users attempting to register.
- Resolve failing API tests
-
Issue resolved where entity diagrams with more than 84 entities without the Security extension breached a JVM parameter number limitation causing a compilation error.
- See https://docs.oracle.com/javase/specs/jvms/se8/html/jvms-4.html#jvms-4.3.3 for more details.
Migration path
CSRF Token and cookie Renamed
Any custom code that utilised the CSRF cookie or token will need to be updated to operate with the new values.
| Feature | Old name | New name |
|---|---|---|
| CSRF cookie | XSRF-TOKEN | XSRF-TOKEN |
| CSRF token header | XSRF-TOKEN | X-XSRF-TOKEN |
| CSRF query parameters | Ā | _csrf |
CustomAuthenticationSuccessHandler#setSameSiteAttributeForAllCookie
This method has been moved to SecurityConfig.java.
AuthenticationService#addAuthentication
Code relating to CSRF has been removed from the inactive protected region Add any additional logic before configuring the response here. If you have enabled this protected region, it is recommended that you temporarily turn it off, build again, and then migrate your changes back into the protected region to ensure that you have the new changed.
AuthenticationService#getCsrfToken
This method has been removed. Please migrate any custom code in the protected region called Add any additional preprocessing logic for getCsrfToken here into the JwtAuthenticationFilter#attemptAuthentication method.
AuthenticationServiceTest
CSRF references have mostly been removed from this set of tests, they have been migrated to the XsrfTokenRepositoryTest.
JwtAuthenticationFilterTest
CSRF references have mostly been removed from this set of tests, they have been migrated to the XsrfTokenRepositoryTest.