From 611a97023dd465e6497e09fcc0ce65dddb207657 Mon Sep 17 00:00:00 2001
From: kazuki43zoo <sikuzak13@gmail.com>
Date: Sun, 6 Oct 2013 00:12:50 +0900
Subject: [PATCH] SEC-2352: HttpSessionCsrfTokenRepository lazy session
 creation

---
 .../web/csrf/HttpSessionCsrfTokenRepository.java  | 15 +++++++++++----
 .../csrf/HttpSessionCsrfTokenRepositoryTests.java | 15 +++++++++++++++
 2 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/web/src/main/java/org/springframework/security/web/csrf/HttpSessionCsrfTokenRepository.java b/web/src/main/java/org/springframework/security/web/csrf/HttpSessionCsrfTokenRepository.java
index c9927fd91c..5d3964b40d 100644
--- a/web/src/main/java/org/springframework/security/web/csrf/HttpSessionCsrfTokenRepository.java
+++ b/web/src/main/java/org/springframework/security/web/csrf/HttpSessionCsrfTokenRepository.java
@@ -48,10 +48,13 @@ public final class HttpSessionCsrfTokenRepository implements CsrfTokenRepository
      */
     public void saveToken(CsrfToken token, HttpServletRequest request,
             HttpServletResponse response) {
-        HttpSession session = request.getSession();
-        if(token == null) {
-            session.removeAttribute(sessionAttributeName);
+        if (token == null) {
+            HttpSession session = request.getSession(false);
+            if (session != null) {
+                session.removeAttribute(sessionAttributeName);
+            }
         } else {
+            HttpSession session = request.getSession();
             session.setAttribute(sessionAttributeName, token);
         }
     }
@@ -60,7 +63,11 @@ public final class HttpSessionCsrfTokenRepository implements CsrfTokenRepository
      * @see org.springframework.security.web.csrf.CsrfTokenRepository#loadToken(javax.servlet.http.HttpServletRequest)
      */
     public CsrfToken loadToken(HttpServletRequest request) {
-        return (CsrfToken) request.getSession().getAttribute(sessionAttributeName);
+        HttpSession session = request.getSession(false);
+        if (session == null) {
+            return null;
+        }
+        return (CsrfToken) session.getAttribute(sessionAttributeName);
     }
 
     /*
diff --git a/web/src/test/java/org/springframework/security/web/csrf/HttpSessionCsrfTokenRepositoryTests.java b/web/src/test/java/org/springframework/security/web/csrf/HttpSessionCsrfTokenRepositoryTests.java
index 2820f90d83..c0340522e3 100644
--- a/web/src/test/java/org/springframework/security/web/csrf/HttpSessionCsrfTokenRepositoryTests.java
+++ b/web/src/test/java/org/springframework/security/web/csrf/HttpSessionCsrfTokenRepositoryTests.java
@@ -67,6 +67,13 @@ public class HttpSessionCsrfTokenRepositoryTests {
     @Test
     public void loadTokenNull() {
         assertThat(repo.loadToken(request)).isNull();
+        assertThat(request.getSession(false)).isNull();
+    }
+
+    @Test
+    public void loadTokenNullWhenSessionExists() {
+        request.getSession();
+        assertThat(repo.loadToken(request)).isNull();
     }
 
     @Test
@@ -105,6 +112,14 @@ public class HttpSessionCsrfTokenRepositoryTests {
                 .isFalse();
     }
 
+    @Test
+    public void saveTokenNullTokenWhenSessionNotExists() {
+
+        repo.saveToken(null, request, response);
+        
+        assertThat(request.getSession(false)).isNull();
+    }
+
     @Test(expected = IllegalArgumentException.class)
     public void setSessionAttributeNameEmpty() {
         repo.setSessionAttributeName("");