Skip to content

Commit 8cb97a0

Browse files
rwinchrwinch
committed
Default CsrfFilter.csrfRequestAttributeName = _csrf
1 parent 7d6552b commit 8cb97a0

File tree

2 files changed

+15
-13
lines changed

2 files changed

+15
-13
lines changed

Diff for: web/src/main/java/org/springframework/security/web/csrf/CsrfFilter.java

+1-1
Original file line numberDiff line numberDiff line change
@@ -86,7 +86,7 @@ public final class CsrfFilter extends OncePerRequestFilter {
8686

8787
private AccessDeniedHandler accessDeniedHandler = new AccessDeniedHandlerImpl();
8888

89-
private String csrfRequestAttributeName;
89+
private String csrfRequestAttributeName = "_csrf";
9090

9191
public CsrfFilter(CsrfTokenRepository csrfTokenRepository) {
9292
Assert.notNull(csrfTokenRepository, "csrfTokenRepository cannot be null");

Diff for: web/src/test/java/org/springframework/security/web/csrf/CsrfFilterTests.java

+14-12
Original file line numberDiff line numberDiff line change
@@ -75,6 +75,8 @@ public class CsrfFilterTests {
7575

7676
private CsrfToken token;
7777

78+
private String csrfAttrName = "_csrf";
79+
7880
private CsrfFilter filter;
7981

8082
@BeforeEach
@@ -108,7 +110,7 @@ public void doFilterDoesNotSaveCsrfTokenUntilAccessed() throws ServletException,
108110
given(this.requestMatcher.matches(this.request)).willReturn(false);
109111
given(this.tokenRepository.generateToken(this.request)).willReturn(this.token);
110112
this.filter.doFilter(this.request, this.response, this.filterChain);
111-
CsrfToken attrToken = (CsrfToken) this.request.getAttribute(this.token.getParameterName());
113+
CsrfToken attrToken = (CsrfToken) this.request.getAttribute(this.csrfAttrName);
112114
// no CsrfToken should have been saved yet
113115
verify(this.tokenRepository, times(0)).saveToken(any(CsrfToken.class), any(HttpServletRequest.class),
114116
any(HttpServletResponse.class));
@@ -125,7 +127,7 @@ public void doFilterAccessDeniedNoTokenPresent() throws ServletException, IOExce
125127
given(this.requestMatcher.matches(this.request)).willReturn(true);
126128
given(this.tokenRepository.loadToken(this.request)).willReturn(this.token);
127129
this.filter.doFilter(this.request, this.response, this.filterChain);
128-
assertThat(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
130+
assertThat(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
129131
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
130132
verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(InvalidCsrfTokenException.class));
131133
verifyNoMoreInteractions(this.filterChain);
@@ -137,7 +139,7 @@ public void doFilterAccessDeniedIncorrectTokenPresent() throws ServletException,
137139
given(this.tokenRepository.loadToken(this.request)).willReturn(this.token);
138140
this.request.setParameter(this.token.getParameterName(), this.token.getToken() + " INVALID");
139141
this.filter.doFilter(this.request, this.response, this.filterChain);
140-
assertThat(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
142+
assertThat(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
141143
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
142144
verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(InvalidCsrfTokenException.class));
143145
verifyNoMoreInteractions(this.filterChain);
@@ -149,7 +151,7 @@ public void doFilterAccessDeniedIncorrectTokenPresentHeader() throws ServletExce
149151
given(this.tokenRepository.loadToken(this.request)).willReturn(this.token);
150152
this.request.addHeader(this.token.getHeaderName(), this.token.getToken() + " INVALID");
151153
this.filter.doFilter(this.request, this.response, this.filterChain);
152-
assertThat(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
154+
assertThat(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
153155
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
154156
verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(InvalidCsrfTokenException.class));
155157
verifyNoMoreInteractions(this.filterChain);
@@ -163,7 +165,7 @@ public void doFilterAccessDeniedIncorrectTokenPresentHeaderPreferredOverParamete
163165
this.request.setParameter(this.token.getParameterName(), this.token.getToken());
164166
this.request.addHeader(this.token.getHeaderName(), this.token.getToken() + " INVALID");
165167
this.filter.doFilter(this.request, this.response, this.filterChain);
166-
assertThat(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
168+
assertThat(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
167169
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
168170
verify(this.deniedHandler).handle(eq(this.request), eq(this.response), any(InvalidCsrfTokenException.class));
169171
verifyNoMoreInteractions(this.filterChain);
@@ -174,7 +176,7 @@ public void doFilterNotCsrfRequestExistingToken() throws ServletException, IOExc
174176
given(this.requestMatcher.matches(this.request)).willReturn(false);
175177
given(this.tokenRepository.loadToken(this.request)).willReturn(this.token);
176178
this.filter.doFilter(this.request, this.response, this.filterChain);
177-
assertThat(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
179+
assertThat(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
178180
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
179181
verify(this.filterChain).doFilter(this.request, this.response);
180182
verifyNoMoreInteractions(this.deniedHandler);
@@ -185,7 +187,7 @@ public void doFilterNotCsrfRequestGenerateToken() throws ServletException, IOExc
185187
given(this.requestMatcher.matches(this.request)).willReturn(false);
186188
given(this.tokenRepository.generateToken(this.request)).willReturn(this.token);
187189
this.filter.doFilter(this.request, this.response, this.filterChain);
188-
assertToken(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
190+
assertToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
189191
assertToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
190192
verify(this.filterChain).doFilter(this.request, this.response);
191193
verifyNoMoreInteractions(this.deniedHandler);
@@ -197,7 +199,7 @@ public void doFilterIsCsrfRequestExistingTokenHeader() throws ServletException,
197199
given(this.tokenRepository.loadToken(this.request)).willReturn(this.token);
198200
this.request.addHeader(this.token.getHeaderName(), this.token.getToken());
199201
this.filter.doFilter(this.request, this.response, this.filterChain);
200-
assertThat(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
202+
assertThat(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
201203
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
202204
verify(this.filterChain).doFilter(this.request, this.response);
203205
verifyNoMoreInteractions(this.deniedHandler);
@@ -211,7 +213,7 @@ public void doFilterIsCsrfRequestExistingTokenHeaderPreferredOverInvalidParam()
211213
this.request.setParameter(this.token.getParameterName(), this.token.getToken() + " INVALID");
212214
this.request.addHeader(this.token.getHeaderName(), this.token.getToken());
213215
this.filter.doFilter(this.request, this.response, this.filterChain);
214-
assertThat(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
216+
assertThat(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
215217
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
216218
verify(this.filterChain).doFilter(this.request, this.response);
217219
verifyNoMoreInteractions(this.deniedHandler);
@@ -223,7 +225,7 @@ public void doFilterIsCsrfRequestExistingToken() throws ServletException, IOExce
223225
given(this.tokenRepository.loadToken(this.request)).willReturn(this.token);
224226
this.request.setParameter(this.token.getParameterName(), this.token.getToken());
225227
this.filter.doFilter(this.request, this.response, this.filterChain);
226-
assertThat(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
228+
assertThat(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
227229
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
228230
verify(this.filterChain).doFilter(this.request, this.response);
229231
verifyNoMoreInteractions(this.deniedHandler);
@@ -237,7 +239,7 @@ public void doFilterIsCsrfRequestGenerateToken() throws ServletException, IOExce
237239
given(this.tokenRepository.generateToken(this.request)).willReturn(this.token);
238240
this.request.setParameter(this.token.getParameterName(), this.token.getToken());
239241
this.filter.doFilter(this.request, this.response, this.filterChain);
240-
assertToken(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
242+
assertToken(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
241243
assertToken(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
242244
// LazyCsrfTokenRepository requires the response as an attribute
243245
assertThat(this.request.getAttribute(HttpServletResponse.class.getName())).isEqualTo(this.response);
@@ -303,7 +305,7 @@ public void doFilterDefaultAccessDenied() throws ServletException, IOException {
303305
given(this.requestMatcher.matches(this.request)).willReturn(true);
304306
given(this.tokenRepository.loadToken(this.request)).willReturn(this.token);
305307
this.filter.doFilter(this.request, this.response, this.filterChain);
306-
assertThat(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
308+
assertThat(this.request.getAttribute(this.csrfAttrName)).isEqualTo(this.token);
307309
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
308310
assertThat(this.response.getStatus()).isEqualTo(HttpServletResponse.SC_FORBIDDEN);
309311
verifyNoMoreInteractions(this.filterChain);

0 commit comments

Comments
 (0)