Default to XorCsrfTokenRequestAttributeHandler

As of gh-11960, Xor CSRF tokens are the default in 6.0. This commit
makes CsrfAuthenticationStrategy consistent with CsrfFilter.

Issue gh-11960
Closes gh-12235

Author: Steve Riesenberg

Diff for: web/src/main/java/org/springframework/security/web/csrf/CsrfAuthenticationStrategy.java

@@ -41,7 +41,7 @@ public final class CsrfAuthenticationStrategy implements SessionAuthenticationSt
 
 	private final CsrfTokenRepository tokenRepository;
 
-	private CsrfTokenRequestHandler requestHandler = new CsrfTokenRequestAttributeHandler();
+	private CsrfTokenRequestHandler requestHandler = new XorCsrfTokenRequestAttributeHandler();
 
 	/**
 	 * Creates a new instance

Diff for: web/src/test/java/org/springframework/security/web/csrf/CsrfAuthenticationStrategyTests.java

@@ -108,9 +108,10 @@ public void logoutRemovesCsrfTokenAndLoadsNewDeferredCsrfToken() {
 		verify(this.csrfTokenRepository).loadDeferredToken(this.request, this.response);
 		// SEC-2404, SEC-2832
 		CsrfToken tokenInRequest = (CsrfToken) this.request.getAttribute(CsrfToken.class.getName());
-		assertThat(tokenInRequest.getToken()).isSameAs(this.generatedToken.getToken());
-		assertThat(tokenInRequest.getHeaderName()).isSameAs(this.generatedToken.getHeaderName());
-		assertThat(tokenInRequest.getParameterName()).isSameAs(this.generatedToken.getParameterName());
+		assertThat(tokenInRequest.getToken()).isNotEmpty();
+		assertThat(tokenInRequest.getToken()).isNotEqualTo(this.generatedToken.getToken());
+		assertThat(tokenInRequest.getHeaderName()).isEqualTo(this.generatedToken.getHeaderName());
+		assertThat(tokenInRequest.getParameterName()).isEqualTo(this.generatedToken.getParameterName());
 		assertThat(this.request.getAttribute(this.generatedToken.getParameterName())).isSameAs(tokenInRequest);
 	}