diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc
index 005966c1e9..56c5d393ab 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc
@@ -1114,15 +1114,18 @@ csrf =
csrf-options.attlist &=
## Specifies if csrf protection should be disabled. Default false (i.e. CSRF protection is enabled).
attribute disabled {xsd:boolean}?
-csrf-options.attlist &=
- ## The request attribute name the CsrfToken is set on. Default is to set to CsrfToken.parameterName
- attribute request-attribute-name { xsd:token }?
csrf-options.attlist &=
## The RequestMatcher instance to be used to determine if CSRF should be applied. Default is any HTTP method except "GET", "TRACE", "HEAD", "OPTIONS"
attribute request-matcher-ref { xsd:token }?
csrf-options.attlist &=
## The CsrfTokenRepository to use. The default is HttpSessionCsrfTokenRepository wrapped by LazyCsrfTokenRepository.
attribute token-repository-ref { xsd:token }?
+csrf-options.attlist &=
+ ## The CsrfTokenRequestAttributeHandler to use. The default is CsrfTokenRequestProcessor.
+ attribute request-attribute-handler-ref { xsd:token }?
+csrf-options.attlist &=
+ ## The CsrfTokenRequestResolver to use. The default is CsrfTokenRequestProcessor.
+ attribute request-resolver-ref { xsd:token }?
headers =
## Element for configuration of the HeaderWritersFilter. Enables easy setting for the X-Frame-Options, X-XSS-Protection and X-Content-Type-Options headers.
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd
index 0cc6594cd3..df6d97c3a3 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd
@@ -3145,13 +3145,6 @@
-
-
- The request attribute name the CsrfToken is set on. Default is to set to
- CsrfToken.parameterName
-
-
-
The RequestMatcher instance to be used to determine if CSRF should be applied. Default is
@@ -3166,6 +3159,18 @@
+
+
+ The CsrfTokenRequestAttributeHandler to use. The default is CsrfTokenRequestProcessor.
+
+
+
+
+
+ The CsrfTokenRequestResolver to use. The default is CsrfTokenRequestProcessor.
+
+
+
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
index 05d8f8bca6..e0cdbab6c2 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
@@ -32,7 +32,6 @@ import org.springframework.security.config.test.SpringTestContext;
import org.springframework.security.config.test.SpringTestContextExtension;
import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.security.web.FilterChainProxy;
-import org.springframework.security.web.csrf.CsrfTokenRequestProcessor;
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
import org.springframework.security.web.csrf.LazyCsrfTokenRepository;
diff --git a/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestAttributeHandler.java b/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestAttributeHandler.java
index a22f3144d2..b45e340532 100644
--- a/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestAttributeHandler.java
+++ b/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestAttributeHandler.java
@@ -18,8 +18,8 @@ package org.springframework.security.web.csrf;
import java.util.function.Supplier;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
/**
* A callback interface that is used to make the {@link CsrfToken} created by the
diff --git a/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestProcessor.java b/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestProcessor.java
index 47807a1dc1..013d2190d2 100644
--- a/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestProcessor.java
+++ b/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestProcessor.java
@@ -18,8 +18,8 @@ package org.springframework.security.web.csrf;
import java.util.function.Supplier;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
import org.springframework.util.Assert;
@@ -34,7 +34,7 @@ import org.springframework.util.Assert;
*/
public class CsrfTokenRequestProcessor implements CsrfTokenRequestAttributeHandler, CsrfTokenRequestResolver {
- private String csrfRequestAttributeName;
+ private String csrfRequestAttributeName = "_csrf";
/**
* The {@link CsrfToken} is available as a request attribute named
diff --git a/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestResolver.java b/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestResolver.java
index f3d820d2ca..38089a066c 100644
--- a/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestResolver.java
+++ b/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestResolver.java
@@ -16,7 +16,7 @@
package org.springframework.security.web.csrf;
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
/**
* Implementations of this interface are capable of resolving the token value of a
diff --git a/web/src/test/java/org/springframework/security/web/csrf/CsrfTokenRequestProcessorTests.java b/web/src/test/java/org/springframework/security/web/csrf/CsrfTokenRequestProcessorTests.java
index ac50ec3aaa..542e0ef1f9 100644
--- a/web/src/test/java/org/springframework/security/web/csrf/CsrfTokenRequestProcessorTests.java
+++ b/web/src/test/java/org/springframework/security/web/csrf/CsrfTokenRequestProcessorTests.java
@@ -78,17 +78,17 @@ public class CsrfTokenRequestProcessorTests {
@Test
public void handleWhenCsrfRequestAttributeSetThenUsed() {
- this.processor.setCsrfRequestAttributeName("_csrf");
+ this.processor.setCsrfRequestAttributeName("_csrf.attr");
this.processor.handle(this.request, this.response, () -> this.token);
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
- assertThat(this.request.getAttribute("_csrf")).isEqualTo(this.token);
+ assertThat(this.request.getAttribute("_csrf.attr")).isEqualTo(this.token);
}
@Test
public void handleWhenValidParametersThenRequestAttributesSet() {
this.processor.handle(this.request, this.response, () -> this.token);
assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
- assertThat(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
+ assertThat(this.request.getAttribute("_csrf")).isEqualTo(this.token);
}
@Test