Spring Security CookieServerCsrfTokenRepository#createNewToken should use Schedulers.boundedElastic

Describe the bug

Call UUID#randomUUID() in CookieServerCsrfTokenRepository#createNewToken() and UUID#randomUUID() is blocking I/O operation (reports #8128). However, CookieServerCsrfTokenRepository#generateToken(ServerWebExchange) is not change Scheduler.

https://github.com/spring-projects/spring-security/blob/57c5ec26e7af1a4c2b8da894840fe55bf6897b9f/web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java#L68-L71

https://github.com/spring-projects/spring-security/blob/57c5ec26e7af1a4c2b8da894840fe55bf6897b9f/web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java#L148-L150

https://github.com/spring-projects/spring-security/blob/57c5ec26e7af1a4c2b8da894840fe55bf6897b9f/web/src/main/java/org/springframework/security/web/server/csrf/CookieServerCsrfTokenRepository.java#L156-L158

To Reproduce

CookieServerCsrfTokenRepository#generateToken(ServerWebExchange)

Expected behavior

Use Schedulers.boundedElastic().

Sample

N/A

Is it the design of not using the Schedulers.boundedElastic()?

Comment From: jzheaux

Hi, @tt4g, thanks for the report.

I believe that it makes sense to change the token generation to use Schedulers.boundedElastic() like so:

Mono.fromCallable(this::createCsrfToken).subscribeOn(Schedulers.boundedElastic());

since UUID.randomUUID is blocking.

Would you be able to submit a PR to update the class?

Comment From: tt4g

I will submit PR in a few days.

Comment From: tt4g

@jzheaux PR has been sent. Could you please confirm?