SEC-2325: Polish CSRF Tag support

- Rename csrfField to csrfInput - Make AbstractCsrfTag package scope - rename FormFieldTag to CsrfInputTag - rename MetaTagsTag to CsrfMetaTagsTag - removed whitespace from tag output so output is minimized & improving browser performance - Update @since - changed test names to be more meaningful
2026-05-22 21:33:16 +00:00 · 2014-03-07 15:25:57 -06:00
parent a3e0475998
commit 32d3e29c65
8 changed files with 39 additions and 39 deletions
@@ -25,10 +25,10 @@ import java.io.IOException;
 /**
 * An abstract tag for handling CSRF operations.
 *
- * @since 3.2.1
+ * @since 3.2.2
 * @author Nick Williams
 */
-public abstract class AbstractCsrfTag extends TagSupport {
+abstract class AbstractCsrfTag extends TagSupport {

    @Override
    public int doEndTag() throws JspException {
@@ -22,14 +22,14 @@ import org.springframework.security.web.csrf.CsrfToken;
 * A JSP tag that prints out a hidden form field for the CSRF token. See the JSP Tab Library documentation for more
 * information.
 *
- * @since 3.2.1
+ * @since 3.2.2
 * @author Nick Williams
 */
-public class FormFieldTag extends AbstractCsrfTag {
+public class CsrfInputTag extends AbstractCsrfTag {

    @Override
    public String handleToken(CsrfToken token) {
        return "<input type=\"hidden\" name=\"" + token.getParameterName() + "\" value=\"" + token.getToken() +
-                "\" />\n";
+                "\" />";
    }
 }
@@ -22,15 +22,15 @@ import org.springframework.security.web.csrf.CsrfToken;
 * A JSP tag that prints out a meta tags holding the CSRF form field name and token value for use in JavaScrip code.
 * See the JSP Tab Library documentation for more information.
 *
- * @since 3.2.1
+ * @since 3.2.2
 * @author Nick Williams
 */
-public class MetaTagsTag extends AbstractCsrfTag {
+public class CsrfMetaTagsTag extends AbstractCsrfTag {

    @Override
    public String handleToken(CsrfToken token) {
-        return "<meta name=\"_csrf_parameter\" content=\"" + token.getParameterName() + "\" />\n" +
-                "        <meta name=\"_csrf_header\" content=\"" + token.getHeaderName() + "\" />\n" +
-                "        <meta name=\"_csrf\" content=\"" + token.getToken() + "\" />\n";
+        return "<meta name=\"_csrf_parameter\" content=\"" + token.getParameterName() + "\" />" +
+               "<meta name=\"_csrf_header\" content=\"" + token.getHeaderName() + "\" />" +
+               "<meta name=\"_csrf\" content=\"" + token.getToken() + "\" />";
    }
 }
@@ -200,8 +200,8 @@
            where you would normally place other <input>s. Do NOT place this tag within a Spring <form:form></form:form>
            block—Spring Security handles Spring forms automatically.
        ]]></description>
-        <name>csrfField</name>
-        <tag-class>org.springframework.security.taglibs.csrf.FormFieldTag</tag-class>
+        <name>csrfInput</name>
+        <tag-class>org.springframework.security.taglibs.csrf.CsrfInputTag</tag-class>
        <body-content>empty</body-content>
    </tag>

@@ -218,7 +218,7 @@
            tag outputs nothing.
        ]]></description>
        <name>csrfMetaTags</name>
-        <tag-class>org.springframework.security.taglibs.csrf.MetaTagsTag</tag-class>
+        <tag-class>org.springframework.security.taglibs.csrf.CsrfMetaTagsTag</tag-class>
        <body-content>empty</body-content>
    </tag>

@@ -36,9 +36,9 @@ public class AbstractCsrfTagTests {
    }

    @Test
-    public void testDoEndTag01() throws JspException, UnsupportedEncodingException {
+    public void noCsrfDoesNotRender() throws JspException, UnsupportedEncodingException {

-        this.tag.handleReturn = "fooBarBazQux";
+        this.tag.handleReturn = "shouldNotBeRendered";

        int returned = this.tag.doEndTag();

@@ -47,7 +47,7 @@ public class AbstractCsrfTagTests {
    }

    @Test
-    public void testDoEndTag02() throws JspException, UnsupportedEncodingException {
+    public void hasCsrfRendersReturnedValue() throws JspException, UnsupportedEncodingException {

        CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "_csrf", "abc123def456ghi789");
        this.request.setAttribute(CsrfToken.class.getName(), token);
@@ -62,7 +62,7 @@ public class AbstractCsrfTagTests {
    }

    @Test
-    public void testDoEndTag03() throws JspException, UnsupportedEncodingException {
+    public void hasCsrfRendersDifferentValue() throws JspException, UnsupportedEncodingException {

        CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "_csrf", "abc123def456ghi789");
        this.request.setAttribute(CsrfToken.class.getName(), token);
@@ -10,36 +10,36 @@ import static org.junit.Assert.*;
 /**
 * @author Nick Williams
 */
-public class FormFieldTagTests {
+public class CsrfInputTagTests {

-    public FormFieldTag tag;
+    public CsrfInputTag tag;

    @Before
    public void setUp() {
-        this.tag = new FormFieldTag();
+        this.tag = new CsrfInputTag();
    }

    @Test
-    public void testHandleToken01() {
+    public void handleTokenReturnsHiddenInput() {
        CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "_csrf", "abc123def456ghi789");

        String value = this.tag.handleToken(token);

        assertNotNull("The returned value should not be null.", value);
        assertEquals("The output is not correct.",
-                "<input type=\"hidden\" name=\"_csrf\" value=\"abc123def456ghi789\" />\n",
+                "<input type=\"hidden\" name=\"_csrf\" value=\"abc123def456ghi789\" />",
                value);
    }

    @Test
-    public void testHandleToken() {
+    public void handleTokenReturnsHiddenInputDifferentTokenValue() {
        CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "csrfParameter", "fooBarBazQux");

        String value = this.tag.handleToken(token);

        assertNotNull("The returned value should not be null.", value);
        assertEquals("The output is not correct.",
-                "<input type=\"hidden\" name=\"csrfParameter\" value=\"fooBarBazQux\" />\n",
+                "<input type=\"hidden\" name=\"csrfParameter\" value=\"fooBarBazQux\" />",
                value);
    }
 }
@@ -10,40 +10,40 @@ import static org.junit.Assert.*;
 /**
 * @author Nick Williams
 */
-public class MetaTagsTagTests {
+public class CsrfMetaTagsTagTests {

-    public MetaTagsTag tag;
+    public CsrfMetaTagsTag tag;

    @Before
    public void setUp() {
-        this.tag = new MetaTagsTag();
+        this.tag = new CsrfMetaTagsTag();
    }

    @Test
-    public void testHandleToken01() {
+    public void handleTokenRendersTags() {
        CsrfToken token = new DefaultCsrfToken("X-Csrf-Token", "_csrf", "abc123def456ghi789");

        String value = this.tag.handleToken(token);

        assertNotNull("The returned value should not be null.", value);
        assertEquals("The output is not correct.",
-                "<meta name=\"_csrf_parameter\" content=\"_csrf\" />\n" +
-                        "        <meta name=\"_csrf_header\" content=\"X-Csrf-Token\" />\n" +
-                        "        <meta name=\"_csrf\" content=\"abc123def456ghi789\" />\n",
+                "<meta name=\"_csrf_parameter\" content=\"_csrf\" />" +
+                        "<meta name=\"_csrf_header\" content=\"X-Csrf-Token\" />" +
+                        "<meta name=\"_csrf\" content=\"abc123def456ghi789\" />",
                value);
    }

    @Test
-    public void testHandleToken02() {
+    public void handleTokenRendersTagsDifferentToken() {
        CsrfToken token = new DefaultCsrfToken("csrfHeader", "csrfParameter", "fooBarBazQux");

        String value = this.tag.handleToken(token);

        assertNotNull("The returned value should not be null.", value);
        assertEquals("The output is not correct.",
-                "<meta name=\"_csrf_parameter\" content=\"csrfParameter\" />\n" +
-                        "        <meta name=\"_csrf_header\" content=\"csrfHeader\" />\n" +
-                        "        <meta name=\"_csrf\" content=\"fooBarBazQux\" />\n",
+                "<meta name=\"_csrf_parameter\" content=\"csrfParameter\" />" +
+                        "<meta name=\"_csrf_header\" content=\"csrfHeader\" />" +
+                        "<meta name=\"_csrf\" content=\"fooBarBazQux\" />",
                value);
    }
 }