Summary
CsrfFilter sets the request attribute "javax.servlet.http.HttpServletResponse", which is later used by LazyCsrfTokenRepository to obtain the current response.
According the the Javadoc of ServletRequest.setAttribute(String, Object) names like "javax.*" are "reserved for use by Oracle Corporation".
The name of the request attribute should be changed.
Actual Behavior
LazyCsrfTokenRepository (and maybe others) rely on the presence of the request attribute "javax.servlet.http.HttpServletResponse". There is no clear indication that the request attribute is set by CsrfFilter. Its name might trick people into thinking that it is set by the servlet container, which it is not.
Expected Behavior
The FQCN of CsrfFilter should be used as a prefix for the request attribute name.
Configuration
N/A
Version
5.1.1
Sample
N/A
Comment From: jzheaux
Thanks, @chschu, I agree. Are you able to submit a PR that changes this on main?
Comment From: chschu
Thanks, @chschu, I agree. Are you able to submit a PR that changes this on
main?
Sure, see #13056.
There has been some movement in the CSRF area lately. The request attribute is no longer populated by CsrfFilter itself, but by CsrfTokenRequestAttributeHandler.
Because it's still only used by the deprecated LazyCsrfTokenRepository, and shouldn't probably be used anywhere else, I chose to change the existing constant there. This way its usages will be easier to find should LazyCsrfTokenRepository be removed in the future.