From 088ebe2e0091d2696c07fe9716f3f53d170af812 Mon Sep 17 00:00:00 2001
From: Steve Riesenberg <sriesenberg@vmware.com>
Date: Tue, 6 Sep 2022 12:15:08 -0500
Subject: [PATCH] Default CsrfTokenRequestProcessor.csrfRequestAttributeName =
 _csrf

Issue gh-11764
Issue gh-4001
---
 .../security/config/spring-security-6.0.rnc   |  9 ++++++---
 .../security/config/spring-security-6.0.xsd   | 19 ++++++++++++-------
 .../DeferHttpSessionJavaConfigTests.java      |  1 -
 .../CsrfTokenRequestAttributeHandler.java     |  4 ++--
 .../web/csrf/CsrfTokenRequestProcessor.java   |  6 +++---
 .../web/csrf/CsrfTokenRequestResolver.java    |  2 +-
 .../csrf/CsrfTokenRequestProcessorTests.java  |  6 +++---
 7 files changed, 27 insertions(+), 20 deletions(-)

diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc
index 005966c1e9..56c5d393ab 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-6.0.rnc
@@ -1114,15 +1114,18 @@ csrf =
 csrf-options.attlist &=
 	## Specifies if csrf protection should be disabled. Default false (i.e. CSRF protection is enabled).
 	attribute disabled {xsd:boolean}?
-csrf-options.attlist &=
-	## The request attribute name the CsrfToken is set on. Default is to set to CsrfToken.parameterName
-	attribute request-attribute-name { xsd:token }?
 csrf-options.attlist &=
 	## The RequestMatcher instance to be used to determine if CSRF should be applied. Default is any HTTP method except "GET", "TRACE", "HEAD", "OPTIONS"
 	attribute request-matcher-ref { xsd:token }?
 csrf-options.attlist &=
 	## The CsrfTokenRepository to use. The default is HttpSessionCsrfTokenRepository wrapped by LazyCsrfTokenRepository.
 	attribute token-repository-ref { xsd:token }?
+csrf-options.attlist &=
+	## The CsrfTokenRequestAttributeHandler to use. The default is CsrfTokenRequestProcessor.
+	attribute request-attribute-handler-ref { xsd:token }?
+csrf-options.attlist &=
+	## The CsrfTokenRequestResolver to use. The default is CsrfTokenRequestProcessor.
+	attribute request-resolver-ref { xsd:token }?
 
 headers =
 ## Element for configuration of the HeaderWritersFilter. Enables easy setting for the X-Frame-Options, X-XSS-Protection and X-Content-Type-Options headers.
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd
index 0cc6594cd3..df6d97c3a3 100644
--- a/config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-6.0.xsd
@@ -3145,13 +3145,6 @@
                 </xs:documentation>
          </xs:annotation>
       </xs:attribute>
-      <xs:attribute name="request-attribute-name" type="xs:token">
-         <xs:annotation>
-            <xs:documentation>The request attribute name the CsrfToken is set on. Default is to set to
-                CsrfToken.parameterName
-                </xs:documentation>
-         </xs:annotation>
-      </xs:attribute>
       <xs:attribute name="request-matcher-ref" type="xs:token">
          <xs:annotation>
             <xs:documentation>The RequestMatcher instance to be used to determine if CSRF should be applied. Default is
@@ -3166,6 +3159,18 @@
                 </xs:documentation>
          </xs:annotation>
       </xs:attribute>
+      <xs:attribute name="request-attribute-handler-ref" type="xs:token">
+         <xs:annotation>
+            <xs:documentation>The CsrfTokenRequestAttributeHandler to use. The default is CsrfTokenRequestProcessor.
+                </xs:documentation>
+         </xs:annotation>
+      </xs:attribute>
+      <xs:attribute name="request-resolver-ref" type="xs:token">
+         <xs:annotation>
+            <xs:documentation>The CsrfTokenRequestResolver to use. The default is CsrfTokenRequestProcessor.
+                </xs:documentation>
+         </xs:annotation>
+      </xs:attribute>
   </xs:attributeGroup>
   <xs:element name="headers">
       <xs:annotation>
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
index 05d8f8bca6..e0cdbab6c2 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
@@ -32,7 +32,6 @@ import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.web.DefaultSecurityFilterChain;
 import org.springframework.security.web.FilterChainProxy;
-import org.springframework.security.web.csrf.CsrfTokenRequestProcessor;
 import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
 import org.springframework.security.web.csrf.LazyCsrfTokenRepository;
 
diff --git a/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestAttributeHandler.java b/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestAttributeHandler.java
index a22f3144d2..b45e340532 100644
--- a/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestAttributeHandler.java
+++ b/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestAttributeHandler.java
@@ -18,8 +18,8 @@ package org.springframework.security.web.csrf;
 
 import java.util.function.Supplier;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 
 /**
  * A callback interface that is used to make the {@link CsrfToken} created by the
diff --git a/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestProcessor.java b/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestProcessor.java
index 47807a1dc1..013d2190d2 100644
--- a/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestProcessor.java
+++ b/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestProcessor.java
@@ -18,8 +18,8 @@ package org.springframework.security.web.csrf;
 
 import java.util.function.Supplier;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 
 import org.springframework.util.Assert;
 
@@ -34,7 +34,7 @@ import org.springframework.util.Assert;
  */
 public class CsrfTokenRequestProcessor implements CsrfTokenRequestAttributeHandler, CsrfTokenRequestResolver {
 
-	private String csrfRequestAttributeName;
+	private String csrfRequestAttributeName = "_csrf";
 
 	/**
 	 * The {@link CsrfToken} is available as a request attribute named
diff --git a/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestResolver.java b/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestResolver.java
index f3d820d2ca..38089a066c 100644
--- a/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestResolver.java
+++ b/web/src/main/java/org/springframework/security/web/csrf/CsrfTokenRequestResolver.java
@@ -16,7 +16,7 @@
 
 package org.springframework.security.web.csrf;
 
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletRequest;
 
 /**
  * Implementations of this interface are capable of resolving the token value of a
diff --git a/web/src/test/java/org/springframework/security/web/csrf/CsrfTokenRequestProcessorTests.java b/web/src/test/java/org/springframework/security/web/csrf/CsrfTokenRequestProcessorTests.java
index ac50ec3aaa..542e0ef1f9 100644
--- a/web/src/test/java/org/springframework/security/web/csrf/CsrfTokenRequestProcessorTests.java
+++ b/web/src/test/java/org/springframework/security/web/csrf/CsrfTokenRequestProcessorTests.java
@@ -78,17 +78,17 @@ public class CsrfTokenRequestProcessorTests {
 
 	@Test
 	public void handleWhenCsrfRequestAttributeSetThenUsed() {
-		this.processor.setCsrfRequestAttributeName("_csrf");
+		this.processor.setCsrfRequestAttributeName("_csrf.attr");
 		this.processor.handle(this.request, this.response, () -> this.token);
 		assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
-		assertThat(this.request.getAttribute("_csrf")).isEqualTo(this.token);
+		assertThat(this.request.getAttribute("_csrf.attr")).isEqualTo(this.token);
 	}
 
 	@Test
 	public void handleWhenValidParametersThenRequestAttributesSet() {
 		this.processor.handle(this.request, this.response, () -> this.token);
 		assertThat(this.request.getAttribute(CsrfToken.class.getName())).isEqualTo(this.token);
-		assertThat(this.request.getAttribute(this.token.getParameterName())).isEqualTo(this.token);
+		assertThat(this.request.getAttribute("_csrf")).isEqualTo(this.token);
 	}
 
 	@Test