Spring-security: Blocking in WebSessionServerCsrfTokenRepository
Summary
Detected by blockhound: WebSessionServerCsrfTokenRepository and CookieServerCsrfTokenRepository make blocking calls to UUID.randomUUID when generating the token.
It would be nice to have a non-blocking SecureRandom to solve this.
It can of course be offloaded to the boundedElastic scheduler but that looks sub optimal.
Version
5.2.2.RELEASE
cbornet
All 6 comments
Thanks for the report @cbornet!
I'm not aware of a non-blocking secure random source. Are you? If we don't have a non-blocking secure random source then I agree our best bet is to use the boundedElastic.
Would you be interested in submitting a PR?
rwinch
on 17 Mar 2020
I'm not aware of a non-blocking secure random source. Are you?
No, I'm not either. I guess even reading /dev/random with NIO is still offloading to a thread-pool. Would be nice to have it in Java one day though.
I'll do the PR for boundedElastic, no problem
cbornet
on 17 Mar 2020
I want to put a publishOn in generateToken but I don't find a good place
I coud do
@Override
public Mono<CsrfToken> generateToken(ServerWebExchange exchange) {
return Mono.just(exchange)
.publishOn(Schedulers.boundedElastic())
.fromCallable(() -> createCsrfToken());
}
but maybe there's a better way without wrapping exchange (which is not used) ?
cbornet
on 18 Mar 2020
That looks correct to me.
rwinch
on 18 Mar 2020
@cbornet Are you still interested in submitting this?
rwinch
on 12 May 2020
Yes. Sorry I've been quite busy. I'll do it this week.
cbornet
on 12 May 2020
Related issues
lexburner
路
3Comments
spring-issuemaster
路
4Comments
berniegp
路
3Comments
adolfoweloy
路
3Comments
spring-issuemaster
路
3Comments