Missing native-image reflection hint for CsrfTokenRequestAttributeHandler$SupplierCsrfToken

[mmoayyed]

Describe the bug

Spring Security 6.2.2-SNAPSHOT with Spring Boot 3.2.1 fails to register appropriate native image hints for:

• CsrfTokenRequestAttributeHandler$SupplierCsrfToken

Caused by: org.springframework.expression.spel.SpelEvaluationException: EL1008E: Property or field 'token' cannot be found on object of type 'org.springframework.security.web.csrf.CsrfTokenRequestAttributeHandler$SupplierCsrfToken' - maybe not public or not valid?
	at org.springframework.expression.spel.ast.PropertyOrFieldReference.readProperty(PropertyOrFieldReference.java:228)
	at org.springframework.expression.spel.ast.PropertyOrFieldReference.getValueInternal(PropertyOrFieldReference.java:111)
	at org.springframework.expression.spel.ast.PropertyOrFieldReference$AccessorLValue.getValue(PropertyOrFieldReference.java:416)
	at org.springframework.expression.spel.ast.CompoundExpression.getValueInternal(CompoundExpression.java:98)
	at org.springframework.expression.spel.ast.SpelNodeImpl.getValue(SpelNodeImpl.java:114)
	at org.springframework.expression.spel.standard.SpelExpression.getValue(SpelExpression.java:338)
	at org.thymeleaf.spring6.expression.SPELVariableExpressionEvaluator.evaluate(SPELVariableExpressionEvaluator.java:265)
	... 217 common frames omitted

Link to GitHub Actions that runs the below commands: https://github.com/mmoayyed/cas/actions/runs/7376598119/job/20071321335

To Reproduce

# Need JDK 21
git clone --depth=1 git@github.com:mmoayyed/cas.git
cd cas

# Build the image
./ci/tests/puppeteer/run.sh --nb --scenario $PWD/ci/tests/puppeteer/scenarios/mfa-provider-selection-trigger-attr

# Run the image
./ci/tests/puppeteer/run.sh --nr --scenario $PWD/ci/tests/puppeteer/scenarios/mfa-provider-selection-trigger-attr

[mmoayyed]

Hello, is there anything I can do to help out and resolve this issue? Happy to test with 6.2.2-SNAPSHOT if you need a tester :)

[marcusdacoregio]

Hi, @mmoayyed. Sorry for the delay. Can you elaborate more on your setup to achieve the error or provide a minimal sample? My minimal sample works fine.

[mmoayyed]

I think you basically need to have the following stanza in your setup, if you do not have it already:

http.csrf(c -> {
    var pattern = new AntPathRequestMatcher("helloworld/**");
    var delegate = new XorCsrfTokenRequestAttributeHandler();
    delegate.setSecureRandom(...);
    c.requireCsrfProtectionMatcher(pattern)
        .csrfTokenRequestHandler(delegate::handle)
        .csrfTokenRepository(...);
});

Then the user-interface (thymeleaf in this case) should have something similar to:

    <meta name="_csrf" th:if="${_csrf}" th:content="${_csrf.token}"/>
    <meta name="_csrf_header" th:if="${_csrf}" th:content="${_csrf.headerName}"/>

Does this help?

[marcusdacoregio]

Thanks, @mmoayyed, that helped a lot. Initially I was thinking that Thymeleaf should add that hint since it is using SpEL and, therefore, reflection, to resolve the token. However, since we guide users to use the meta tag I decided that it would be good to include the hints ourself.

Thanks again for the report.

[mmoayyed]

Thanks much for taking care of this!