Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
SEC-2286: CsrfFilter should log with URL when tokens don't match #2510
In org.springframework.security.web.csrf.CsrfFilter - line 89.
When the tokens on match it would be good to have a logging statement (at TRACE level with the Request URL).
This would help a great deal when migrating a site to include CSRF tokens as it can be difficult to catch certain scenarios where wrong/no tokens are submitted.
At the moment it is a little scary rolling this out to an existing site with no way to detect when access denied is being thrown due to CSRF mismatch.
Rob Winch said:
Thanks for the report. I added logging at debug level that includes the Request URL. For reference, here is the commit 3f69847
A few notes:
If you want to upgrade and are nervous about CSRF causing issues, you can disable it in the case of XML configuration just not enable it.
Also note that right now you can create a custom AccessDeniedHandler and determine if the AccessDeniedException is a InvalidCsrfTokenException. If so, you can log the message yourself.