Our application using spring framework need to implement request based CSRF token in order to meet security requirements. Currently we have session based CSRF token provided by HttpSessionCsrfTokenRepository as Spring default. According to instruction I found, by configuring xml like this
<security:csrf token-repository-ref="customRequestCsrfTokenRepository"/>
<bean id="customRequestCsrfTokenRepository" class="com.dev.common_web.security.configuration.CustomCsrfTokenRepository"/>
Custom token repository which implements CsrfTokenRepository interface will be loaded to handle token request.
However when application starts, and running in debug mode, I can see it is spring default HttpSessionCsrfTokenRepository is used to handle loading and generating of token. I have also tried using spring CookieCsrfTokenRepository in xml config like
<security:csrf token-repository-ref="cookieCsrfTokenRepository"/>
<bean id="cookieCsrfTokenRepository" class="org.springframework.security.web.csrf.CookieCsrfTokenRepository"/>
And when application is running, it is again HttpSessionCsrfTokenRepository which is loaded to handle token request. Seems it doesn't matter what is configured as value of "token-repository-ref" in xml, it is always HttpSessionCsrfTokenRepository in use.
How to configure spring to use other csrf token repository instead of the default HttpSessionCsrfTokenRepository? We are using Spring 5.2.
