CsrfFilter uses CsrfToken.parameterNameto specify the attribute name that the CsrfToken is set on. This doesn't make sense because parameterName is intended to be used as the HTTP parameter that the CsrfToken is provided not the HttpServlet request attribute. This behavior also means that the CsrfToken must be read for every request which causes unnecessary reads to the HttpSession on every request which can impact the performance of an application.
We should provide a property on CsrfFilter that is used to set the CsrfToken to address the concerns above.