Spring Security CsrfRequestPostProcessor stomps over what is configured via CsrfConfigurer#csrfTokenRepository

Describe the bug We are using CSRF with the CookieCsrfTokenRepository. It is setup via CsrfConfigurer#csrfTokenRepository. In some tests we are using the CsrfRequestPostProcessor simply via MockHttpServletRequestBuilder.with(csrf()). We also have a simple controller, that returns the CsrfToken set by CsrfFilter. The problem is, the CsrfRequestPostProcessor effectively sets the repository to HttpSessionCsrfTokenRepository and these repositories generate instances of CsrfTokens returning different values for CsrfToken#getHeaderName (one X-CSRF-TOKEN, the other X-XSRF-TOKEN). This results in different behaviour depending on whether we run just the test for the controller (not using the postprocessor) or all tests for the projects (sharing the Spring context).

To Reproduce 1. Configure CSRF to use the CookieCsrfTokenRepository. 2. Use the CsrfRequestPostProcessor for some tests. 3. Test the return value of a controller doing return (CsrfToken) request.getAttribute(CsrfToken.class.getName());. Specifically header name.

Expected behavior The request post processor respects the configured repository. The request post processor should not modify the "global" context.

Comment From: marcusdacoregio

Hi @pglizniewicz, I believe this is a duplicate of https://github.com/spring-projects/spring-security/issues/12774.

Please refer to that issue and, if you think this is a different scenario let us know so we can reopen it.