fix: isolate CSRF cookie per physical-tenant scope (#458)

* fix: isolate CSRF cookie per physical-tenant scope

* fix: scope CSRF cookie path to basePath on API chains

* fix: derive CSRF cookie prefix from X_CSRF_TOKEN to mirror session naming

* fix: also validate CSRF cookie name length in rejectCookieNameCollisions

Author: joaquinfelici

spring-boot-starter/src/main/java/io/camunda/security/spring/scope/ScopedApiSecurityChainBuilder.java

@@ -7,6 +7,8 @@
  */
 package io.camunda.security.spring.scope;
 
+import static io.camunda.security.spring.security.CamundaSecurityFilterChainConstants.X_CSRF_TOKEN;
+
 import io.camunda.security.api.model.config.AuthenticationConfiguration;
 import io.camunda.security.core.port.out.SecurityPathPort;
 import io.camunda.security.spring.CamundaSecurityLibraryProperties;
@@ -78,6 +80,25 @@ public SecurityFilterChain buildOidcApiChain(
       final JwtDecoder jwtDecoder,
       final SessionRepositoryFilter<?> sessionRepositoryFilter)
       throws Exception {
+    return buildOidcApiChainWith(
+        http,
+        matchers,
+        unprotectedMatchers,
+        jwtDecoder,
+        sessionRepositoryFilter,
+        null,
+        X_CSRF_TOKEN);
+  }
+
+  private SecurityFilterChain buildOidcApiChainWith(
+      final HttpSecurity http,
+      final Collection<String> matchers,
+      final Collection<String> unprotectedMatchers,
+      final JwtDecoder jwtDecoder,
+      final SessionRepositoryFilter<?> sessionRepositoryFilter,
+      final String csrfCookiePath,
+      final String csrfCookieName)
+      throws Exception {
     Objects.requireNonNull(jwtDecoder, "jwtDecoder must not be null");
     LOG.debug(
         "Building OIDC API chain for matchers={}, unprotected={}", matchers, unprotectedMatchers);
@@ -112,7 +133,8 @@ public SecurityFilterChain buildOidcApiChain(
             .oauth2Login(AbstractHttpConfigurer::disable)
             .oidcLogout(AbstractHttpConfigurer::disable)
             .logout(AbstractHttpConfigurer::disable);
-    SecurityFilterChainSupport.applyCsrfConfiguration(filterChainBuilder, properties, pathPort);
+    SecurityFilterChainSupport.applyCsrfConfiguration(
+        filterChainBuilder, properties, pathPort, csrfCookiePath, csrfCookieName);
     SecurityFilterChainSupport.setupSecureHeaders(filterChainBuilder, properties.getHttpHeaders());
 
     return filterChainBuilder.build();
@@ -130,6 +152,18 @@ public SecurityFilterChain buildBasicApiChain(
       final Collection<String> unprotectedMatchers,
       final SessionRepositoryFilter<?> sessionRepositoryFilter)
       throws Exception {
+    return buildBasicApiChainWith(
+        http, matchers, unprotectedMatchers, sessionRepositoryFilter, null, X_CSRF_TOKEN);
+  }
+
+  private SecurityFilterChain buildBasicApiChainWith(
+      final HttpSecurity http,
+      final Collection<String> matchers,
+      final Collection<String> unprotectedMatchers,
+      final SessionRepositoryFilter<?> sessionRepositoryFilter,
+      final String csrfCookiePath,
+      final String csrfCookieName)
+      throws Exception {
     LOG.debug(
         "Building Basic API chain for matchers={}, unprotected={}", matchers, unprotectedMatchers);
     if (sessionRepositoryFilter != null) {
@@ -156,7 +190,8 @@ public SecurityFilterChain buildBasicApiChain(
             .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.NEVER))
             .requestCache(cache -> cache.requestCache(new NullRequestCache()));
 
-    SecurityFilterChainSupport.applyCsrfConfiguration(filterChainBuilder, properties, pathPort);
+    SecurityFilterChainSupport.applyCsrfConfiguration(
+        filterChainBuilder, properties, pathPort, csrfCookiePath, csrfCookieName);
     SecurityFilterChainSupport.setupSecureHeaders(filterChainBuilder, properties.getHttpHeaders());
 
     return filterChainBuilder.build();
@@ -200,14 +235,24 @@ public SecurityFilterChain buildScopedApiChain(
     }
     final var matchers = pathPort.apiPaths().stream().map(p -> prefix + p).toList();
     final var unprotected = pathPort.unprotectedApiPaths().stream().map(p -> prefix + p).toList();
+    final var csrfCookieName = ScopedSecurityChainRegistrar.csrfCookieName(basePath);
     return switch (method) {
       case OIDC -> {
         final var decoder =
             Objects.requireNonNull(
                 oidcDecoderSupplier.get(), "oidcDecoderSupplier must not return a null JwtDecoder");
-        yield buildOidcApiChain(http, matchers, unprotected, decoder, sessionRepositoryFilter);
+        yield buildOidcApiChainWith(
+            http,
+            matchers,
+            unprotected,
+            decoder,
+            sessionRepositoryFilter,
+            basePath,
+            csrfCookieName);
       }
-      case BASIC -> buildBasicApiChain(http, matchers, unprotected, sessionRepositoryFilter);
+      case BASIC ->
+          buildBasicApiChainWith(
+              http, matchers, unprotected, sessionRepositoryFilter, basePath, csrfCookieName);
       default -> throw new IllegalStateException("Unsupported authentication method: " + method);
     };
   }
@@ -283,7 +328,12 @@ public SecurityFilterChain buildUnprotectedScopedApiChain(
             .formLogin(AbstractHttpConfigurer::disable)
             .anonymous(AbstractHttpConfigurer::disable);
 
-    SecurityFilterChainSupport.applyCsrfConfiguration(filterChainBuilder, properties, pathPort);
+    SecurityFilterChainSupport.applyCsrfConfiguration(
+        filterChainBuilder,
+        properties,
+        pathPort,
+        basePath,
+        ScopedSecurityChainRegistrar.csrfCookieName(basePath));
     SecurityFilterChainSupport.setupSecureHeaders(filterChainBuilder, properties.getHttpHeaders());
 
     return filterChainBuilder.build();

spring-boot-starter/src/main/java/io/camunda/security/spring/scope/ScopedSecurityChainRegistrar.java

@@ -8,6 +8,7 @@
 package io.camunda.security.spring.scope;
 
 import static io.camunda.security.spring.security.CamundaSecurityFilterChainConstants.ORDER_WEBAPP_API;
+import static io.camunda.security.spring.security.CamundaSecurityFilterChainConstants.X_CSRF_TOKEN;
 
 import io.camunda.security.api.context.CamundaSecurityScopeProvider;
 import io.camunda.security.api.model.config.ScopedSecurityDescriptor;
@@ -47,6 +48,7 @@
 final class ScopedSecurityChainRegistrar implements BeanDefinitionRegistryPostProcessor {
 
   static final String SESSION_COOKIE_PREFIX = "camunda-session-";
+  static final String CSRF_COOKIE_PREFIX = X_CSRF_TOKEN + "-";
   static final int MAX_COOKIE_NAME_LENGTH =
       200; // well under the RFC 6265 4096-byte name=value budget
 
@@ -273,7 +275,8 @@ private OrderedSecurityFilterChainWrapper buildWebappChain(
               descriptor.basePath(),
               descriptor.authentication(),
               sessionFilter,
-              sessionCookieName(descriptor.basePath()));
+              sessionCookieName(descriptor.basePath()),
+              csrfCookieName(descriptor.basePath()));
       return new OrderedSecurityFilterChainWrapper(chain, ORDER_WEBAPP_API);
     } catch (final IllegalStateException ex) {
       throw ex;
@@ -288,6 +291,11 @@ static String sessionCookieName(final String basePath) {
     return SESSION_COOKIE_PREFIX + sanitizeBasePath(basePath);
   }
 
+  /** The per-scope CSRF cookie name: {@code X-CSRF-TOKEN-<sanitize(basePath)>}. */
+  static String csrfCookieName(final String basePath) {
+    return CSRF_COOKIE_PREFIX + sanitizeBasePath(basePath);
+  }
+
   static void rejectCookieNameCollisions(final List<ScopedSecurityDescriptor> descriptors) {
     final var seen = new HashSet<String>();
     final var collisions = new LinkedHashSet<String>();
@@ -302,19 +310,21 @@ static void rejectCookieNameCollisions(final List<ScopedSecurityDescriptor> desc
                 + SESSION_COOKIE_PREFIX
                 + "'. Use a basePath containing alphanumerics.");
       }
-      final var name = SESSION_COOKIE_PREFIX + suffix;
-      if (name.length() > MAX_COOKIE_NAME_LENGTH) {
+      final var sessionName = SESSION_COOKIE_PREFIX + suffix;
+      final var csrfName = CSRF_COOKIE_PREFIX + suffix;
+      if (sessionName.length() > MAX_COOKIE_NAME_LENGTH
+          || csrfName.length() > MAX_COOKIE_NAME_LENGTH) {
         throw new IllegalStateException(
             "Derived session cookie name for basePath="
                 + d.basePath()
                 + " exceeds the maximum length of "
                 + MAX_COOKIE_NAME_LENGTH
                 + " characters ("
-                + name.length()
+                + sessionName.length()
                 + "). Use a shorter basePath.");
       }
-      if (!seen.add(name)) {
-        collisions.add(name);
+      if (!seen.add(sessionName)) {
+        collisions.add(sessionName);
       }
     }
     if (!collisions.isEmpty()) {

spring-boot-starter/src/main/java/io/camunda/security/spring/security/ScopedWebappSecurityChainBuilder.java

@@ -306,7 +306,8 @@ public SecurityFilterChain buildScopedWebappChain(
       final String basePath,
       final AuthenticationConfiguration authentication,
       final SessionRepositoryFilter<?> sessionRepositoryFilter,
-      final String scopedSessionCookieName)
+      final String scopedSessionCookieName,
+      final String scopedCsrfCookieName)
       throws Exception {
     Objects.requireNonNull(http, "http must not be null");
     Objects.requireNonNull(basePath, "basePath must not be null");
@@ -316,6 +317,7 @@ public SecurityFilterChain buildScopedWebappChain(
     Objects.requireNonNull(authentication.getMethod(), "authentication.method must not be null");
     Objects.requireNonNull(sessionRepositoryFilter, "sessionRepositoryFilter must not be null");
     Objects.requireNonNull(scopedSessionCookieName, "scopedSessionCookieName must not be null");
+    Objects.requireNonNull(scopedCsrfCookieName, "scopedCsrfCookieName must not be null");
     Objects.requireNonNull(
         authorizedClientManagerFactory, "authorizedClientManagerFactory must not be null");
     Objects.requireNonNull(
@@ -335,10 +337,15 @@ public SecurityFilterChain buildScopedWebappChain(
     return switch (authentication.getMethod()) {
       case OIDC ->
           buildOidcWebappChainInternal(
-              http, prefix, authentication, sessionRepositoryFilter, scopedSessionCookieName);
+              http,
+              prefix,
+              authentication,
+              sessionRepositoryFilter,
+              scopedSessionCookieName,
+              scopedCsrfCookieName);
       case BASIC ->
           buildBasicWebappChainInternal(
-              http, prefix, sessionRepositoryFilter, scopedSessionCookieName);
+              http, prefix, sessionRepositoryFilter, scopedSessionCookieName, scopedCsrfCookieName);
       default ->
           throw new IllegalStateException(
               "Unsupported authentication method: " + authentication.getMethod());
@@ -404,7 +411,8 @@ private SecurityFilterChain buildOidcWebappChainInternal(
       final String prefix,
       final AuthenticationConfiguration authentication,
       final SessionRepositoryFilter<?> sessionRepositoryFilter,
-      final String scopedSessionCookieName)
+      final String scopedSessionCookieName,
+      final String scopedCsrfCookieName)
       throws Exception {
 
     final var matchers = pathPort.webappPaths().stream().map(p -> prefix + p).toList();
@@ -490,7 +498,7 @@ private SecurityFilterChain buildOidcWebappChainInternal(
                       .addLogoutHandler(
                           pathScopedCookieClearingLogoutHandler(scopedSessionCookieName, prefix))
                       .addLogoutHandler(
-                          pathScopedCookieClearingLogoutHandler(X_CSRF_TOKEN, prefix));
+                          pathScopedCookieClearingLogoutHandler(scopedCsrfCookieName, prefix));
                   logoutSuccessHandlerProvider.ifAvailable(logout::logoutSuccessHandler);
                 });
 
@@ -499,7 +507,7 @@ private SecurityFilterChain buildOidcWebappChainInternal(
     final var logoutHandler =
         new CompositeLogoutHandler(
             pathScopedCookieClearingLogoutHandler(scopedSessionCookieName, prefix),
-            pathScopedCookieClearingLogoutHandler(X_CSRF_TOKEN, prefix),
+            pathScopedCookieClearingLogoutHandler(scopedCsrfCookieName, prefix),
             new SecurityContextLogoutHandler());
     filterChainBuilder.addFilterAfter(
         new OAuth2RefreshTokenFilter(
@@ -515,7 +523,7 @@ private SecurityFilterChain buildOidcWebappChainInternal(
     }
 
     SecurityFilterChainSupport.applyCsrfConfiguration(
-        filterChainBuilder, properties, pathPort, prefix);
+        filterChainBuilder, properties, pathPort, prefix, scopedCsrfCookieName);
     SecurityFilterChainSupport.setupSecureHeaders(filterChainBuilder, properties.getHttpHeaders());
 
     // Install the multi-IdP login picker (GH-269): the custom entry point trips
@@ -532,7 +540,8 @@ private SecurityFilterChain buildBasicWebappChainInternal(
       final HttpSecurity http,
       final String prefix,
       final SessionRepositoryFilter<?> sessionRepositoryFilter,
-      final String scopedSessionCookieName)
+      final String scopedSessionCookieName,
+      final String scopedCsrfCookieName)
       throws Exception {
 
     final var matchers = pathPort.webappPaths().stream().map(p -> prefix + p).toList();
@@ -572,7 +581,7 @@ private SecurityFilterChain buildBasicWebappChainInternal(
                         .addLogoutHandler(
                             pathScopedCookieClearingLogoutHandler(scopedSessionCookieName, prefix))
                         .addLogoutHandler(
-                            pathScopedCookieClearingLogoutHandler(X_CSRF_TOKEN, prefix)))
+                            pathScopedCookieClearingLogoutHandler(scopedCsrfCookieName, prefix)))
             .exceptionHandling(
                 eh ->
                     eh.authenticationEntryPoint(authFailureHandler)
@@ -590,7 +599,7 @@ private SecurityFilterChain buildBasicWebappChainInternal(
     }
 
     SecurityFilterChainSupport.applyCsrfConfiguration(
-        filterChainBuilder, properties, pathPort, prefix);
+        filterChainBuilder, properties, pathPort, prefix, scopedCsrfCookieName);
     SecurityFilterChainSupport.setupSecureHeaders(filterChainBuilder, properties.getHttpHeaders());
 
     return filterChainBuilder.build();

spring-boot-starter/src/main/java/io/camunda/security/spring/security/SecurityFilterChainSupport.java

@@ -23,6 +23,7 @@
 import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.util.HashSet;
+import java.util.Objects;
 import java.util.Set;
 import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -77,19 +78,32 @@ static Set<String> csrfAllowedPaths(
 
   public static CookieCsrfTokenRepository cookieCsrfTokenRepository(
       final CamundaSecurityLibraryProperties properties) {
-    return cookieCsrfTokenRepository(properties, null);
+    return buildCookieCsrfTokenRepository(properties, null, X_CSRF_TOKEN);
   }
 
   public static CookieCsrfTokenRepository cookieCsrfTokenRepository(
       final CamundaSecurityLibraryProperties properties, final String cookiePath) {
-    return buildCookieCsrfTokenRepository(properties, resolveCookiePath(cookiePath));
+    return buildCookieCsrfTokenRepository(properties, resolveCookiePath(cookiePath), X_CSRF_TOKEN);
+  }
+
+  public static CookieCsrfTokenRepository cookieCsrfTokenRepository(
+      final CamundaSecurityLibraryProperties properties,
+      final String cookiePath,
+      final String cookieName) {
+    return buildCookieCsrfTokenRepository(properties, resolveCookiePath(cookiePath), cookieName);
   }
 
   private static CookieCsrfTokenRepository buildCookieCsrfTokenRepository(
-      final CamundaSecurityLibraryProperties properties, final String resolvedCookiePath) {
+      final CamundaSecurityLibraryProperties properties,
+      final String resolvedCookiePath,
+      final String cookieName) {
+    Objects.requireNonNull(cookieName, "cookieName must not be null");
+    if (cookieName.isBlank()) {
+      throw new IllegalArgumentException("cookieName must not be blank");
+    }
     final CookieCsrfTokenRepository repository = new CookieCsrfTokenRepository();
     repository.setHeaderName(X_CSRF_TOKEN);
-    repository.setCookieName(X_CSRF_TOKEN);
+    repository.setCookieName(cookieName);
     final boolean httpOnly = properties.getCsrf().isCookieHttpOnly();
     repository.setCookieCustomizer(builder -> builder.httpOnly(httpOnly));
     if (resolvedCookiePath != null) {
@@ -122,7 +136,7 @@ public static void applyCsrfConfiguration(
       final CamundaSecurityLibraryProperties properties,
       final SecurityPathPort pathPort)
       throws Exception {
-    applyCsrfConfiguration(http, properties, pathPort, null);
+    applyCsrfConfiguration(http, properties, pathPort, null, X_CSRF_TOKEN);
   }
 
   public static void applyCsrfConfiguration(
@@ -131,6 +145,16 @@ public static void applyCsrfConfiguration(
       final SecurityPathPort pathPort,
       final String cookiePath)
       throws Exception {
+    applyCsrfConfiguration(http, properties, pathPort, cookiePath, X_CSRF_TOKEN);
+  }
+
+  public static void applyCsrfConfiguration(
+      final HttpSecurity http,
+      final CamundaSecurityLibraryProperties properties,
+      final SecurityPathPort pathPort,
+      final String cookiePath,
+      final String csrfCookieName)
+      throws Exception {
     if (!properties.getCsrf().isEnabled()) {
       http.csrf(AbstractHttpConfigurer::disable);
       return;
@@ -140,7 +164,7 @@ public static void applyCsrfConfiguration(
 
     final String resolvedCookiePath = resolveCookiePath(cookiePath);
     final CookieCsrfTokenRepository repo =
-        buildCookieCsrfTokenRepository(properties, resolvedCookiePath);
+        buildCookieCsrfTokenRepository(properties, resolvedCookiePath, csrfCookieName);
     final CsrfTokenRepository csrfTokenRepository =
         (resolvedCookiePath != null)
             ? new ContextPathScopedCsrfTokenRepository(repo, resolvedCookiePath)