Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-2286: CsrfFilter should log with URL when tokens don't match #2510

Closed
spring-issuemaster opened this issue Aug 25, 2013 · 1 comment

Comments

Projects
None yet
2 participants
@spring-issuemaster
Copy link

commented Aug 25, 2013

al (Migrated from SEC-2286) said:

In org.springframework.security.web.csrf.CsrfFilter - line 89.

When the tokens on match it would be good to have a logging statement (at TRACE level with the Request URL).

This would help a great deal when migrating a site to include CSRF tokens as it can be difficult to catch certain scenarios where wrong/no tokens are submitted.

At the moment it is a little scary rolling this out to an existing site with no way to detect when access denied is being thrown due to CSRF mismatch.

@spring-issuemaster

This comment has been minimized.

Copy link
Author

commented Aug 25, 2013

Rob Winch said:

Thanks for the report. I added logging at debug level that includes the Request URL. For reference, here is the commit 3f69847

A few notes:

If you want to upgrade and are nervous about CSRF causing issues, you can disable it in the case of XML configuration just not enable it.

Also note that right now you can create a custom AccessDeniedHandler and determine if the AccessDeniedException is a InvalidCsrfTokenException. If so, you can log the message yourself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.