Invalid CSRF token should be logged at a higher level than DEBUG

[inktomi]

Summary

This is an error condition, and should be logged as such.

Actual Behavior

o.s.security.web.csrf.CsrfFilter : Invalid CSRF token found for ....

is only logged at a DEBUG level, and therefore is hidden

Expected Behavior

Errors are logged as errors.

Version

5.0.0 M1

[rwinch]

Thank you for the suggestion.

User input (CSRF is included the HTTP request so it is considered something the user can provide) should not be able to cause logging at error log level.

I'm closing this as invalid.