fix: isolate CSRF cookie per physical-tenant scope

Author: joaquinfelici

spring-boot-starter/src/main/java/io/camunda/security/spring/scope/ScopedSecurityChainRegistrar.java

@@ -47,6 +47,7 @@
 final class ScopedSecurityChainRegistrar implements BeanDefinitionRegistryPostProcessor {
 
   static final String SESSION_COOKIE_PREFIX = "camunda-session-";
+  static final String CSRF_COOKIE_PREFIX = "camunda-csrf-";
   static final int MAX_COOKIE_NAME_LENGTH =
       200; // well under the RFC 6265 4096-byte name=value budget
 
@@ -273,7 +274,8 @@ private OrderedSecurityFilterChainWrapper buildWebappChain(
               descriptor.basePath(),
               descriptor.authentication(),
               sessionFilter,
-              sessionCookieName(descriptor.basePath()));
+              sessionCookieName(descriptor.basePath()),
+              csrfCookieName(descriptor.basePath()));
       return new OrderedSecurityFilterChainWrapper(chain, ORDER_WEBAPP_API);
     } catch (final IllegalStateException ex) {
       throw ex;
@@ -288,6 +290,11 @@ static String sessionCookieName(final String basePath) {
     return SESSION_COOKIE_PREFIX + sanitizeBasePath(basePath);
   }
 
+  /** The per-scope CSRF cookie name: {@code camunda-csrf-<sanitize(basePath)>}. */
+  static String csrfCookieName(final String basePath) {
+    return CSRF_COOKIE_PREFIX + sanitizeBasePath(basePath);
+  }
+
   static void rejectCookieNameCollisions(final List<ScopedSecurityDescriptor> descriptors) {
     final var seen = new HashSet<String>();
     final var collisions = new LinkedHashSet<String>();

spring-boot-starter/src/main/java/io/camunda/security/spring/security/ScopedWebappSecurityChainBuilder.java

@@ -306,7 +306,8 @@ public SecurityFilterChain buildScopedWebappChain(
       final String basePath,
       final AuthenticationConfiguration authentication,
       final SessionRepositoryFilter<?> sessionRepositoryFilter,
-      final String scopedSessionCookieName)
+      final String scopedSessionCookieName,
+      final String scopedCsrfCookieName)
       throws Exception {
     Objects.requireNonNull(http, "http must not be null");
     Objects.requireNonNull(basePath, "basePath must not be null");
@@ -316,6 +317,7 @@ public SecurityFilterChain buildScopedWebappChain(
     Objects.requireNonNull(authentication.getMethod(), "authentication.method must not be null");
     Objects.requireNonNull(sessionRepositoryFilter, "sessionRepositoryFilter must not be null");
     Objects.requireNonNull(scopedSessionCookieName, "scopedSessionCookieName must not be null");
+    Objects.requireNonNull(scopedCsrfCookieName, "scopedCsrfCookieName must not be null");
     Objects.requireNonNull(
         authorizedClientManagerFactory, "authorizedClientManagerFactory must not be null");
     Objects.requireNonNull(
@@ -335,10 +337,15 @@ public SecurityFilterChain buildScopedWebappChain(
     return switch (authentication.getMethod()) {
       case OIDC ->
           buildOidcWebappChainInternal(
-              http, prefix, authentication, sessionRepositoryFilter, scopedSessionCookieName);
+              http,
+              prefix,
+              authentication,
+              sessionRepositoryFilter,
+              scopedSessionCookieName,
+              scopedCsrfCookieName);
       case BASIC ->
           buildBasicWebappChainInternal(
-              http, prefix, sessionRepositoryFilter, scopedSessionCookieName);
+              http, prefix, sessionRepositoryFilter, scopedSessionCookieName, scopedCsrfCookieName);
       default ->
           throw new IllegalStateException(
               "Unsupported authentication method: " + authentication.getMethod());
@@ -404,7 +411,8 @@ private SecurityFilterChain buildOidcWebappChainInternal(
       final String prefix,
       final AuthenticationConfiguration authentication,
       final SessionRepositoryFilter<?> sessionRepositoryFilter,
-      final String scopedSessionCookieName)
+      final String scopedSessionCookieName,
+      final String scopedCsrfCookieName)
       throws Exception {
 
     final var matchers = pathPort.webappPaths().stream().map(p -> prefix + p).toList();
@@ -490,7 +498,7 @@ private SecurityFilterChain buildOidcWebappChainInternal(
                       .addLogoutHandler(
                           pathScopedCookieClearingLogoutHandler(scopedSessionCookieName, prefix))
                       .addLogoutHandler(
-                          pathScopedCookieClearingLogoutHandler(X_CSRF_TOKEN, prefix));
+                          pathScopedCookieClearingLogoutHandler(scopedCsrfCookieName, prefix));
                   logoutSuccessHandlerProvider.ifAvailable(logout::logoutSuccessHandler);
                 });
 
@@ -499,7 +507,7 @@ private SecurityFilterChain buildOidcWebappChainInternal(
     final var logoutHandler =
         new CompositeLogoutHandler(
             pathScopedCookieClearingLogoutHandler(scopedSessionCookieName, prefix),
-            pathScopedCookieClearingLogoutHandler(X_CSRF_TOKEN, prefix),
+            pathScopedCookieClearingLogoutHandler(scopedCsrfCookieName, prefix),
             new SecurityContextLogoutHandler());
     filterChainBuilder.addFilterAfter(
         new OAuth2RefreshTokenFilter(
@@ -515,7 +523,7 @@ private SecurityFilterChain buildOidcWebappChainInternal(
     }
 
     SecurityFilterChainSupport.applyCsrfConfiguration(
-        filterChainBuilder, properties, pathPort, prefix);
+        filterChainBuilder, properties, pathPort, prefix, scopedCsrfCookieName);
     SecurityFilterChainSupport.setupSecureHeaders(filterChainBuilder, properties.getHttpHeaders());
 
     // Install the multi-IdP login picker (GH-269): the custom entry point trips
@@ -532,7 +540,8 @@ private SecurityFilterChain buildBasicWebappChainInternal(
       final HttpSecurity http,
       final String prefix,
       final SessionRepositoryFilter<?> sessionRepositoryFilter,
-      final String scopedSessionCookieName)
+      final String scopedSessionCookieName,
+      final String scopedCsrfCookieName)
       throws Exception {
 
     final var matchers = pathPort.webappPaths().stream().map(p -> prefix + p).toList();
@@ -572,7 +581,7 @@ private SecurityFilterChain buildBasicWebappChainInternal(
                         .addLogoutHandler(
                             pathScopedCookieClearingLogoutHandler(scopedSessionCookieName, prefix))
                         .addLogoutHandler(
-                            pathScopedCookieClearingLogoutHandler(X_CSRF_TOKEN, prefix)))
+                            pathScopedCookieClearingLogoutHandler(scopedCsrfCookieName, prefix)))
             .exceptionHandling(
                 eh ->
                     eh.authenticationEntryPoint(authFailureHandler)
@@ -590,7 +599,7 @@ private SecurityFilterChain buildBasicWebappChainInternal(
     }
 
     SecurityFilterChainSupport.applyCsrfConfiguration(
-        filterChainBuilder, properties, pathPort, prefix);
+        filterChainBuilder, properties, pathPort, prefix, scopedCsrfCookieName);
     SecurityFilterChainSupport.setupSecureHeaders(filterChainBuilder, properties.getHttpHeaders());
 
     return filterChainBuilder.build();

spring-boot-starter/src/main/java/io/camunda/security/spring/security/SecurityFilterChainSupport.java

@@ -77,19 +77,28 @@ static Set<String> csrfAllowedPaths(
 
   public static CookieCsrfTokenRepository cookieCsrfTokenRepository(
       final CamundaSecurityLibraryProperties properties) {
-    return cookieCsrfTokenRepository(properties, null);
+    return buildCookieCsrfTokenRepository(properties, null, X_CSRF_TOKEN);
   }
 
   public static CookieCsrfTokenRepository cookieCsrfTokenRepository(
       final CamundaSecurityLibraryProperties properties, final String cookiePath) {
-    return buildCookieCsrfTokenRepository(properties, resolveCookiePath(cookiePath));
+    return buildCookieCsrfTokenRepository(properties, resolveCookiePath(cookiePath), X_CSRF_TOKEN);
+  }
+
+  public static CookieCsrfTokenRepository cookieCsrfTokenRepository(
+      final CamundaSecurityLibraryProperties properties,
+      final String cookiePath,
+      final String cookieName) {
+    return buildCookieCsrfTokenRepository(properties, resolveCookiePath(cookiePath), cookieName);
   }
 
   private static CookieCsrfTokenRepository buildCookieCsrfTokenRepository(
-      final CamundaSecurityLibraryProperties properties, final String resolvedCookiePath) {
+      final CamundaSecurityLibraryProperties properties,
+      final String resolvedCookiePath,
+      final String cookieName) {
     final CookieCsrfTokenRepository repository = new CookieCsrfTokenRepository();
     repository.setHeaderName(X_CSRF_TOKEN);
-    repository.setCookieName(X_CSRF_TOKEN);
+    repository.setCookieName(cookieName);
     final boolean httpOnly = properties.getCsrf().isCookieHttpOnly();
     repository.setCookieCustomizer(builder -> builder.httpOnly(httpOnly));
     if (resolvedCookiePath != null) {
@@ -122,7 +131,7 @@ public static void applyCsrfConfiguration(
       final CamundaSecurityLibraryProperties properties,
       final SecurityPathPort pathPort)
       throws Exception {
-    applyCsrfConfiguration(http, properties, pathPort, null);
+    applyCsrfConfiguration(http, properties, pathPort, null, X_CSRF_TOKEN);
   }
 
   public static void applyCsrfConfiguration(
@@ -131,6 +140,16 @@ public static void applyCsrfConfiguration(
       final SecurityPathPort pathPort,
       final String cookiePath)
       throws Exception {
+    applyCsrfConfiguration(http, properties, pathPort, cookiePath, X_CSRF_TOKEN);
+  }
+
+  public static void applyCsrfConfiguration(
+      final HttpSecurity http,
+      final CamundaSecurityLibraryProperties properties,
+      final SecurityPathPort pathPort,
+      final String cookiePath,
+      final String csrfCookieName)
+      throws Exception {
     if (!properties.getCsrf().isEnabled()) {
       http.csrf(AbstractHttpConfigurer::disable);
       return;
@@ -140,7 +159,7 @@ public static void applyCsrfConfiguration(
 
     final String resolvedCookiePath = resolveCookiePath(cookiePath);
     final CookieCsrfTokenRepository repo =
-        buildCookieCsrfTokenRepository(properties, resolvedCookiePath);
+        buildCookieCsrfTokenRepository(properties, resolvedCookiePath, csrfCookieName);
     final CsrfTokenRepository csrfTokenRepository =
         (resolvedCookiePath != null)
             ? new ContextPathScopedCsrfTokenRepository(repo, resolvedCookiePath)

spring-boot-starter/src/test/java/io/camunda/security/spring/scope/ScopedSecurityChainRegistrarTest.java

@@ -71,6 +71,19 @@ void distinctBasePathsCanSanitiseToTheSameFragment() {
         .isEqualTo("a-b");
   }
 
+  @Test
+  void csrfCookieNameIsPrefixedWithCamundaCsrf() {
+    assertThat(ScopedSecurityChainRegistrar.csrfCookieName("/physical-tenants/t1"))
+        .isEqualTo("camunda-csrf-physical-tenants-t1");
+  }
+
+  @Test
+  void csrfAndSessionCookieNamesAreDifferentForTheSameBasePath() {
+    final var basePath = "/physical-tenants/t1";
+    assertThat(ScopedSecurityChainRegistrar.csrfCookieName(basePath))
+        .isNotEqualTo(ScopedSecurityChainRegistrar.sessionCookieName(basePath));
+  }
+
   @Test
   void rejectsBasePathsThatSanitizeToCollidingCookieNames() {
     final var descriptors =

spring-boot-starter/src/test/java/io/camunda/security/spring/security/ScopedWebappSecurityChainBuilderScopedTest.java

@@ -251,16 +251,75 @@ void scopedBasicChainLogoutClearsScopedCookiesAtBasePath() throws Exception {
                               && h.contains("Max-Age=0")
                               && h.contains("Path=" + BASE_PATH));
 
+              final var csrfCookieName = "camunda-csrf-physical-tenants-t1";
               assertThat(cookieHeaders)
-                  .as("logout must emit a Set-Cookie clearing the CSRF cookie at basePath")
+                  .as("logout must emit a Set-Cookie clearing the per-scope CSRF cookie")
                   .anyMatch(
                       h ->
-                          h.contains("X-CSRF-TOKEN=")
+                          h.contains(csrfCookieName + "=")
                               && h.contains("Max-Age=0")
                               && h.contains("Path=" + BASE_PATH));
             });
   }
 
+  @Test
+  void twoScopedChainsHaveIndependentCsrfCookiesThatDoNotCrossContaminate() throws Exception {
+    new WebApplicationContextRunner()
+        .withUserConfiguration(
+            ObjectMapperConfig.class,
+            StubPaths.class,
+            StubUserDetailsPortConfig.class,
+            TwoScopedBasicChainsConfig.class)
+        .withConfiguration(
+            AutoConfigurations.of(
+                CamundaSecurityConfiguration.class,
+                BaseSecurityConfiguration.class,
+                AuthFailureHandlerConfiguration.class,
+                io.camunda.security.spring.user.UserConfiguration.class,
+                ScopedOidcInfrastructureConfiguration.class,
+                ScopedWebappSecurityChainBuilderConfiguration.class))
+        .run(
+            ctx -> {
+              final var chainT1 = ctx.getBean("scopedBasicChainForT1", SecurityFilterChain.class);
+              final var chainT2 = ctx.getBean("scopedBasicChainForT2", SecurityFilterChain.class);
+
+              final var requestT1 =
+                  new MockHttpServletRequest("POST", "/physical-tenants/t1/logout");
+              final var responseT1 = new MockHttpServletResponse();
+              new FilterChainProxy(List.of(chainT1))
+                  .doFilter(requestT1, responseT1, new MockFilterChain());
+
+              final var requestT2 =
+                  new MockHttpServletRequest("POST", "/physical-tenants/t2/logout");
+              final var responseT2 = new MockHttpServletResponse();
+              new FilterChainProxy(List.of(chainT2))
+                  .doFilter(requestT2, responseT2, new MockFilterChain());
+
+              final var cookiesT1 = responseT1.getHeaders("Set-Cookie");
+              final var cookiesT2 = responseT2.getHeaders("Set-Cookie");
+
+              assertThat(cookiesT1)
+                  .as("t1 logout must clear its own per-scope CSRF cookie")
+                  .anyMatch(
+                      h ->
+                          h.contains("camunda-csrf-physical-tenants-t1=")
+                              && h.contains("Max-Age=0"));
+              assertThat(cookiesT1)
+                  .as("t1 logout must not touch t2's CSRF cookie")
+                  .noneMatch(h -> h.contains("camunda-csrf-physical-tenants-t2="));
+
+              assertThat(cookiesT2)
+                  .as("t2 logout must clear its own per-scope CSRF cookie")
+                  .anyMatch(
+                      h ->
+                          h.contains("camunda-csrf-physical-tenants-t2=")
+                              && h.contains("Max-Age=0"));
+              assertThat(cookiesT2)
+                  .as("t2 logout must not touch t1's CSRF cookie")
+                  .noneMatch(h -> h.contains("camunda-csrf-physical-tenants-t1="));
+            });
+  }
+
   @Test
   void buildScopedWebappChainRejectsRootBasePath() {
     runner.run(
@@ -275,7 +334,12 @@ void buildScopedWebappChainRejectsRootBasePath() {
               .isThrownBy(
                   () ->
                       builder.buildScopedWebappChain(
-                          http, "/", authentication, sessionFilter, "session-cookie"))
+                          http,
+                          "/",
+                          authentication,
+                          sessionFilter,
+                          "session-cookie",
+                          "csrf-cookie"))
               .withMessageContaining("must not be the root path");
         });
   }
@@ -329,7 +393,12 @@ SecurityFilterChain scopedOidcTestChain(
       final var authentication = buildOidcAuthentication("oidc");
       final var sessionFilter = buildSessionFilter();
       return builder.buildScopedWebappChain(
-          http, BASE_PATH, authentication, sessionFilter, "camunda-session-physical-tenants-t1");
+          http,
+          BASE_PATH,
+          authentication,
+          sessionFilter,
+          "camunda-session-physical-tenants-t1",
+          "camunda-csrf-physical-tenants-t1");
     }
 
     private static SessionRepositoryFilter<?> buildSessionFilter() {
@@ -376,7 +445,12 @@ SecurityFilterChain scopedOidcMultiIdpTestChain(
       final var sessionFilter =
           new SessionRepositoryFilter<>(new MapSessionRepository(new ConcurrentHashMap<>()));
       return builder.buildScopedWebappChain(
-          http, BASE_PATH, authentication, sessionFilter, "camunda-session-physical-tenants-t1");
+          http,
+          BASE_PATH,
+          authentication,
+          sessionFilter,
+          "camunda-session-physical-tenants-t1",
+          "camunda-csrf-physical-tenants-t1");
     }
 
     private static AuthenticationConfiguration buildOidcAuthentication(
@@ -425,7 +499,48 @@ SecurityFilterChain scopedBasicTestChain(
       final var sessionFilter =
           new SessionRepositoryFilter<>(new MapSessionRepository(new ConcurrentHashMap<>()));
       return builder.buildScopedWebappChain(
-          http, BASE_PATH, authentication, sessionFilter, "camunda-session-physical-tenants-t1");
+          http,
+          BASE_PATH,
+          authentication,
+          sessionFilter,
+          "camunda-session-physical-tenants-t1",
+          "camunda-csrf-physical-tenants-t1");
+    }
+  }
+
+  @Configuration
+  static class TwoScopedBasicChainsConfig {
+
+    @Bean("scopedBasicChainForT1")
+    SecurityFilterChain scopedBasicChainForT1(
+        final HttpSecurity http, final ScopedWebappSecurityChainBuilder builder) throws Exception {
+      final var authentication = new AuthenticationConfiguration();
+      authentication.setMethod(AuthenticationMethod.BASIC);
+      final var sessionFilter =
+          new SessionRepositoryFilter<>(new MapSessionRepository(new ConcurrentHashMap<>()));
+      return builder.buildScopedWebappChain(
+          http,
+          "/physical-tenants/t1",
+          authentication,
+          sessionFilter,
+          "camunda-session-physical-tenants-t1",
+          "camunda-csrf-physical-tenants-t1");
+    }
+
+    @Bean("scopedBasicChainForT2")
+    SecurityFilterChain scopedBasicChainForT2(
+        final HttpSecurity http, final ScopedWebappSecurityChainBuilder builder) throws Exception {
+      final var authentication = new AuthenticationConfiguration();
+      authentication.setMethod(AuthenticationMethod.BASIC);
+      final var sessionFilter =
+          new SessionRepositoryFilter<>(new MapSessionRepository(new ConcurrentHashMap<>()));
+      return builder.buildScopedWebappChain(
+          http,
+          "/physical-tenants/t2",
+          authentication,
+          sessionFilter,
+          "camunda-session-physical-tenants-t2",
+          "camunda-csrf-physical-tenants-t2");
     }
   }
 }