We should cache the Xor CSRF token (in request attributes) from XorCsrfTokenRequestAttributeHandler, so the CSRF token is only Xor'd once per request. Given:
CsrfToken csrfToken = (CsrfToken) request.getAttribute(CsrfToken.class.getName());
csrfToken.getToken();
csrfToken.getToken(); // should produce the same result as the line above
This shows up primarily in tests, when accessing the request attribute containing the CSRF token for predicting output of e.g. the DefaultLoginPageGeneratingFilter. Also, the intention of XorCsrfTokenRequestAttributeHandler was to Xor the token only once per request, so this enhancement aligns with that goal.
Also apply to reactive XorServerCsrfTokenRequestAttributeHandler.
Comment From: sjohnr
Related gh-4001