Add CsrfFilter.csrfRequestAttributeName
Previously the CsrfToken was set on the request attribute with the name equal to CsrfToken.getParameterName(). This didn't really make a lot of sense because the CsrfToken.getParameterName() is intended to be used as the HTTP parameter that the CSRF token was provided. What's more is it meant that the CsrfToken needed to be read for every request to place it as an HttpServletRequestAttribute. This causes unnecessary HttpSession access which can decrease performance for applications. This commit allows setting CsrfFilter.csrfReqeustAttributeName to remove the dual purposing of CsrfToken.parameterName and to allow deferal of reading the CsrfToken to prevent unnecessary HttpSession access. Issue gh-11699
This commit is contained in:
Rob Winch
@@ -775,6 +775,10 @@ It is highly recommended to leave CSRF protection enabled.
|
||||
The CsrfTokenRepository to use.
|
||||
The default is `HttpSessionCsrfTokenRepository`.
|
||||
|
||||
[[nsa-csrf-request-attribute-name]]
|
||||
* **request-attribute-name**
|
||||
Optional attribute that specifies the request attribute name to set the `CsrfToken` on.
|
||||
The default is `CsrfToken.parameterName`.
|
||||
|
||||
[[nsa-csrf-request-matcher-ref]]
|
||||
* **request-matcher-ref**
|
||||
|
||||
Reference in New Issue
Block a user