Blocking in WebSessionServerCsrfTokenRepository

[cbornet]

Summary

Detected by blockhound: WebSessionServerCsrfTokenRepository and CookieServerCsrfTokenRepository make blocking calls to UUID.randomUUID when generating the token.

It would be nice to have a non-blocking SecureRandom to solve this.
It can of course be offloaded to the boundedElastic scheduler but that looks sub optimal.

spring-security/web/src/main/java/org/springframework/security/web/server/csrf/WebSessionServerCsrfTokenRepository.java

Line 112 in 747d881

return UUID.randomUUID().toString();

Version

5.2.2.RELEASE

[rwinch]

Thanks for the report @cbornet!

I'm not aware of a non-blocking secure random source. Are you? If we don't have a non-blocking secure random source then I agree our best bet is to use the boundedElastic.

Would you be interested in submitting a PR?

[cbornet]

I'm not aware of a non-blocking secure random source. Are you?

No, I'm not either. I guess even reading /dev/random with NIO is still offloading to a thread-pool. Would be nice to have it in Java one day though.

I'll do the PR for boundedElastic, no problem

[cbornet]

I want to put a publishOn in generateToken but I don't find a good place
I coud do

	@Override
	public Mono<CsrfToken> generateToken(ServerWebExchange exchange) {
		return Mono.just(exchange)
			.publishOn(Schedulers.boundedElastic())
			.fromCallable(() -> createCsrfToken());
	}

but maybe there's a better way without wrapping exchange (which is not used) ?

[rwinch]

That looks correct to me.

[rwinch]

@cbornet Are you still interested in submitting this?

[cbornet]

Yes. Sorry I've been quite busy. I'll do it this week.