The CsrfAuthenticationStrategy in Spring Security 5.8 is instantiated with CsrfTokenRequestAttributeHandler by default: .8.x/web/src/main/java//springframework/security/web/csrf/CsrfAuthenticationStrategy.java#L45

In Spring 6.X I see it has been changed to: .java#L44

In the project's Spring Security config, the XorCsrfTokenRequestAttributeHandler is used in the <security:csrf token-repository-ref="csrfTokenRepository" request-matcher-ref="csrfProtectionMatcher" request-handler-ref="xorCsrfTokenRequestAttributeHandler" />, however, this is not taken into account when the CsrfAuthenticationStrategy is instantiated. Is there a way to customize this behaviour?

The session-authentication-strategy-ref is already pointing to custom implementation, so using that is not an option.