From ca1080fb96b34aeb6b365100b2b18ade25a5d1fb Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@vmware.com>
Date: Fri, 13 Dec 2013 15:36:30 -0600
Subject: [PATCH] SEC-2439: HttpSessionCsrfTokenRepository setHeaderName sets
 header instead of parameter

---
 .../web/csrf/HttpSessionCsrfTokenRepository.java    | 11 ++++++-----
 .../csrf/HttpSessionCsrfTokenRepositoryTests.java   | 13 ++++++++++++-
 2 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/web/src/main/java/org/springframework/security/web/csrf/HttpSessionCsrfTokenRepository.java b/web/src/main/java/org/springframework/security/web/csrf/HttpSessionCsrfTokenRepository.java
index 5d3964b40d..283e9c45fa 100644
--- a/web/src/main/java/org/springframework/security/web/csrf/HttpSessionCsrfTokenRepository.java
+++ b/web/src/main/java/org/springframework/security/web/csrf/HttpSessionCsrfTokenRepository.java
@@ -91,14 +91,15 @@ public final class HttpSessionCsrfTokenRepository implements CsrfTokenRepository
      * Sets the header name that the {@link CsrfToken} is expected to appear on
      * and the header that the response will contain the {@link CsrfToken}.
      *
-     * @param parameterName
-     *            the new parameter name to use
+     * @param headerName
+     *            the new header name to use
      */
-    public void setHeaderName(String parameterName) {
-        Assert.hasLength(parameterName, "parameterName cannot be null or empty");
-        this.parameterName = parameterName;
+    public void setHeaderName(String headerName) {
+        Assert.hasLength(headerName, "headerName cannot be null or empty");
+        this.headerName = headerName;
     }
 
+
     /**
      * Sets the {@link HttpSession} attribute name that the {@link CsrfToken} is stored in
      * @param sessionAttributeName the new attribute name to use
diff --git a/web/src/test/java/org/springframework/security/web/csrf/HttpSessionCsrfTokenRepositoryTests.java b/web/src/test/java/org/springframework/security/web/csrf/HttpSessionCsrfTokenRepositoryTests.java
index c0340522e3..5f238e519c 100644
--- a/web/src/test/java/org/springframework/security/web/csrf/HttpSessionCsrfTokenRepositoryTests.java
+++ b/web/src/test/java/org/springframework/security/web/csrf/HttpSessionCsrfTokenRepositoryTests.java
@@ -64,6 +64,17 @@ public class HttpSessionCsrfTokenRepositoryTests {
         assertThat(token.getToken()).isNotEmpty();
     }
 
+    @Test
+    public void generateCustomHeader() {
+        String headerName = "CSRF";
+        repo.setHeaderName(headerName);
+
+        token = repo.generateToken(request);
+
+        assertThat(token.getHeaderName()).isEqualTo(headerName);
+        assertThat(token.getToken()).isNotEmpty();
+    }
+
     @Test
     public void loadTokenNull() {
         assertThat(repo.loadToken(request)).isNull();
@@ -116,7 +127,7 @@ public class HttpSessionCsrfTokenRepositoryTests {
     public void saveTokenNullTokenWhenSessionNotExists() {
 
         repo.saveToken(null, request, response);
-        
+
         assertThat(request.getSession(false)).isNull();
     }